Escolar Documentos
Profissional Documentos
Cultura Documentos
2
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
Table Of Contents
1 Virtual Private Networks 10
1.1 VPN Overview 10
1.2 VPN Architecture 11
1.2.1 The Overlay Model 11
1.2.1.1 Types of Shared Backbone VPNs/Overlay Networks 11
1.2.1.1.1 Circuit-switched VPN 11
1.2.1.1.2 Frame relay or ATM VPN 11
1.2.1.1.3 IP VPN 11
1.2.1.2 Disadvantages of the Overlay Model 11
1.2.2 The “Peer Model” VPNs 12
1.2.2.1 Who is Peering with Whom? 12
1.2.2.2 Advantages of the Peer Model 13
1.2.2.3 Difficulties in Providing the Peer Model 13
1.2.2.3.1 Routing information overload in the P routers 13
1.2.2.3.2 What Contiguous Address Space! 13
1.2.2.3.3 Private Addressing in the C Networks 13
1.2.2.3.4 Access Control 14
1.2.2.3.5 Encryption 14
1.3 MPLS-VPNs 14
1.3.1 MPLS-VPN Overview 14
1.3.2 MPLS VPN Requirements 14
1.3.3 MPLS-VPN Pre-requisites 15
1.3.4 MPLS-VPN - The True Peer Model 15
1.3.5 New Address Family 16
1.3.6 Thou Shalt Not Have to Carry 50,000 Routing Entries 16
1.3.7 Route Reflectors 16
1.3.8 Packet Forwarding - PEs Utilize BGP While Ps use LDP 17
1.3.9 Take Two Labels Before Delivery 17
1.3.10 Intranets and Extranets 17
1.3.11 Security 18
1.3.12 Quality of Service in MPLS-Enabled Networks 20
1.3.12.1 DiffServ 20
1.3.12.2 Design Approach For Implementing QoS 20
1.3.12.3 Cisco IOS“ QoS/CoS Toolkit 20
1.3.12.3.1 IP Precedence 21
1.3.12.3.2 Committed Access Rate (CAR) 21
1.3.12.3.3 Differential Discard and Scheduling Policies 21
1.3.12.3.4 Modified Deficit Round Robin 23
1.3.12.4 Proper QoS Tool Placement in the Network 23
1.3.12.4.1 QoS At the Edge 23
1.3.12.4.2 QoS In the Core 23
1.3.12.5 ATM-based MPLS and QoS/CoS 24
1.3.12.5.1 ATM MPLS-VPN CoS/QoS Mechanisms 24
1.3.13 MPLS Traffic Engineering 26
1.3.13.1.1 RRR Requirements 27
1.4 Detailed MPLS-VPN Functional Characteristics 27
1.4.1 Per-Site Forwarding Tables in the PEs 28
1.4.1.1 Internet Connectivity 28
1.4.1.2 My VPN Doesn’t Talk to Your VPN 28
1.4.1.3 Virtual Sites 29
1.4.2 Same VPN, Different Routes to the Same Address 29
1.4.3 MPLS-VPN Backbone 29
1.4.4 A Set of Sites Inter-connected via a MPLS-VPN Backbone 30
1.4.5 CE-PE Routing Exchange 30
1.4.6 Backdoor Connections 30
1.4.7 Per-site VRFs on PEs 31
3
3
1.4.7.1 Development of VRF Entries 31
1.4.7.2 Default 31
1.4.7.3 Traffic Isolation 32
1.4.8 PEs Re-distribute Customer Routes to One Another 32
1.4.8.1 VPN-IPv4 Address Family 32
1.4.8.2 Import & Export Route Policy 33
1.4.8.2.1 Target VPN Attribute 33
1.4.8.3 Route Re-distribution 34
1.4.8.4 Building VPNs with Extended Community Attributes 34
1.4.8.5 Packet Forwarding across the Backbone 35
1.4.9 PEs Learn Routes from CEs 36
1.4.9.1 PEs Redistribute VPN-IPv4 Routes into IPv4 VRFs 36
1.4.9.2 PE-CE Routing Protocol Options 37
1.4.10 CEs Learn Routes from PEs 38
1.4.11 ISP as a Stub VPN 38
1.4.11.1 Encoding VPN-IPv4 Address Prefixes in BGP 38
1.4.11.2 Filtering Based on Attributes 38
1.4.11.2.1 Site of Origin 38
1.4.11.2.2 VPN of Origin 39
1.4.11.2.3 Target VPN/Route Target 39
1.4.12 BGP Amongst PE Routers 39
1.4.12.1 Ordinary BGP Routes 40
1.4.12.2 Internet Filtering 40
1.4.12.3 Route Aggregation 40
1.4.13 Security 40
1.4.13.1 Cisco’s Support of IPSec on CEs Today 40
1.4.13.2 IPSec Work in Progress 40
1.4.14 MPLS VPN Functional Summary 40
1.5 MPLS-VPN Configuration 41
1.5.1 Summary of MPLS-VPN Configuration Steps 41
1.5.2 MPLS-VPN Configuration Entities 41
1.5.2.1 VRF instances 41
1.5.2.1.1 IOS Configuration Command for a VRF Instance 41
1.5.2.1.2 VRF Configuration Sub-mode 41
1.5.2.2 Router Address Family 42
1.5.2.2.1 Backwards Compatibility 42
1.5.2.2.2 Address Family Components 42
1.5.2.2.3 Address Family Configuration 42
1.5.2.2.4 Address Family Usage 42
1.5.2.3 VPN-IPv4 NLRIs 43
1.5.2.4 Route Target (RT) Communities 43
1.5.2.4.1 CUG VPN 43
1.5.2.4.2 Hub-and-Spokes VPN 43
1.5.2.4.3 Controlled Access to Servers 43
1.5.3 MPLS-VPN Configuration, Next Steps: 44
1.5.4 Global-level versus sub-command VRF Commands 46
1.5.5 First Configuration Example 46
1.5.6 Second MPLS VPN Configuration Example 48
1.5.7 Third Configuration Example - Hub-and-Spokes 50
1.5.7.1 Configuration from CE: A-3620-mpls 50
1.5.7.2 Configuration from CE: B-3620-mpls 50
1.5.7.3 Configuration from: C-2611-mpls 51
1.5.7.4 Configuration from: D-1720-mpls 52
1.5.7.5 Configuration from: E-1720-mpls 53
1.5.7.6 Configuration from: H-7204-mpls 53
1.5.7.7 Configuration from: I-7204-mpls 54
1.5.7.8 Configuration from: J-7204-mpls 54
1.5.7.9 Configuration from: K-7204-mpls 56
1.5.7.10 Configuration from: L-7204-mpls 57
1.5.8 Fourth Configuration Example –Default Routing 58
4
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
5
5
3.3.1 MPLS-VPN Functionality - Available Platforms 88
3.3.2 GSR MPLS-VPN Support 89
3.3.3 MPLS Support in MSSBU Platforms 89
3.3.3.1 General MSSBU MPLS Support 89
3.3.3.2 The VSI Interface 89
3.3.3.3 VSI Resource Partitioning 90
3.3.3.4 The BPX 8650 90
3.3.3.5 MGX 8850 with the Route Processor Module 90
3.3.3.5.1 MGX Today - Edge LSR Functionality without the LSC 91
3.3.3.5.2 MGX Futures - LSC Support 92
3.3.4 12.0T and 12.0S Code Paths 92
3.4 Appendix D – Architecture of RRR 92
3.4.1 Introduction 93
3.4.2 Traffic Engineering Case Study 93
3.4.3 RRR Requirements 95
3.4.3.1 MPLS 95
3.4.3.2 RSVP Extensions 95
3.4.3.3 OSPF and IS-IS Extensions 95
3.4.4 Traffic Trunks and other RRR Traffic Engineering Paradigms 95
3.5 Appendix E – Application Note: MSSBU’s Demo Lab @ SP Base Camp Wk 2 96
3.5.1 Software Versions 96
3.5.1.1 LS1010 96
3.5.1.2 4700 96
3.5.1.3 2611 96
3.5.2 Configuration Examples 96
3.5.2.1 LS1010-A 96
3.5.2.2 LS1010-B 97
3.5.2.3 4700-A 97
3.5.2.4 4700-B 98
3.5.2.5 4700-C 99
3.5.2.6 2611-A 101
3.5.2.7 2611-B 101
3.5.2.8 2611-C 102
3.5.2.9 2611-D 103
6
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
Table of Figures
Figure 1 - MPLS-VPN Architectural components 12
Figure 2 - VPN Peer Model 15
Figure 3 - VPN Forwarding Information Example 17
Figure 4 – Stack of Labels 17
Figure 5 Using MPLS to Build VPNs 19
Figure 6 – Example of Class-Based Weighted-Fair Queuing 21
Figure 7 - CAR Sets Service Classes at the Edge of the network (Edge LSR) 23
Figure 8 - ATM Forum PVC Mode 25
Figure 9 – Multi-VC Mode 25
Figure 10 - Multi-VC Mode, Application of Cisco IOS QoS @Egress/Core 25
Figure 11 - Single ABR VC-Mode 26
Figure 12 - Implementations of Single-VC Mode 26
Figure 13 – CE Backdoor Scenario 31
Figure 14 - MPLS Traffic Engineering Scenario 1, Basic TE 75
Figure 15 - MPLS Traffic Engineering Scenario 2, Basic Tunnel Configuration 75
Figure 16 - MPLS Traffic Engineering Scenario 3, Path Options 75
Figure 17 - PPP + MPLS/VPNs in Cisco IOS 12.0T 79
Figure 18 - Potential PPP/MPLS-VPN Integration 80
Figure 19 - Scalability 80
Figure 20 - Long-term Potential PPP/VPN Integration 80
Figure 21 – Proposed MPLS/Multicast Support 81
Figure 22 – Proposed MPLS/Multicast Support, the Next Steps 82
Figure 23 - Eureka 1.0 Functional Components 82
Figure 24 - The Eureka Service Model 82
Figure 25 - Administrative Console Graphical User Interface for Eureka 82
Figure 26 - Service Auditing 85
Figure 27 - “Formula” for BPX 8650 ATM LSR 89
Figure 28 - The MGX 8850 IP+ATM Switch 89
Figure 29 - VSI & End-to-End MPLS Signaling 90
Figure 30 - Typical RPM Deployment 90
Figure 31 - PVP/PVC Connection between a pair of RPM ELSRs 91
Figure 32 - PVP connection between an RPM Edge LSR and a BPX 8650 with an LSC 91
Figure 33 - RPM Functionality without LSC 91
Figure 34 - MGX with LSC Support 92
Figure 35 - PVP connection between an RPM Edge LSR and an RPM LSC 92
Figure 36 -The Traffic Engineering Problem 93
Figure 37 -Traffic Engineering Example Topology 93
Figure 38 - MSSBU’s Demo Setup, SP Bootcamp for SE’s, March 22-26, 1999 96
7
7
Definitions
This section defines words, acronyms, and actions that may not be readily understood.
AXSM ATM Switch Service Module. A serial-bus-based Service Module supported on the
MGX 8850 beginning in Release 2, expected in CQ1, 2000. The AXSM card supports
a variety of broadband ATM interfaces.
MPLS Multi-Protocol Label Switching. The IETF equivalent of Tag Switching.
C Network Customer or enterprise network, consisting of Customer routers, which are maintained
and operated by the enterprise customer or by the Service Provider as part of a
managed service.
P Network Service Provider network, consisting of Provider routers, which are maintained and
operated by the Service Provider.
CE Router Customer Edge router - an edge router in the Customer network, defined as a C router
which attaches directly to a P router, and is a routing peer of the P router.
P Router Provider router (aka MPLS-VPN Backbone Router) - a router in the Provider network,
defined as a P router which may attach directly to a PE router, and is a routing peer of
other P routers. P Routers perform MPLS label switching.
PE Router Provider Edge router - an edge router in the Provider network, defined as a P router
which attaches directly to a C router, and is a routing peer of the C router. PE Routers
translate IPv4 addresses into VPN-IPv4 12-byte quantities. Please see the appropriate
definitions below.
VPN-IPv4 12-byte quantity. The first eight bytes are known as the Route Distinguisher (RD); the
next four bytes are an IPv4 address.
RD The Route Distinguishers (RD) are structured so that every service provider can
administer its own “numbering space” (i.e., can make its own assignments of RD’s),
without conflicting with the RD assignments made by any other service provider. The
RD consists of a two-byte Type field, and a six-byte Value field. The interpretation of
the Value field depends on the value of the Type field. At the present time, we define
only two values of the type field: 0 and 1.
Border router A router at the edge of a provider network which interfaces to another provider’s
Border router using EBGP procedures. E.g., a PE router that interfaces via IBGP to its
PE peers, as well as an EBGP peer to a public Internet router.
VRF VPN Routing/Forwarding. It is the set of routing information that defines a customer
VPN site that is attached to a single PE router. A VRF Instance consists of an IP
routing table; a derived forwarding table; a set of interfaces that use the forwarding
table; and a set of rules and routing protocols that determine what goes into the
forwarding table (From “Approved_Draft 2 Final Tappan VPN”). There are three
pieces to VRFs. The first is multiple routing protocol contexts. The second is multiple
VRF routing tables. And the third is multiple VRF forwarding tables using FIB (CEF)
forwarding tables. One can have only one VRF configured per (sub-)interface.
VRF Routing Table Table which contains the routes which should be available to a particular set of sites.
This is analogous to the standard IP routing table, which one may see with the “show
IP route” Cisco IOS EXEC command, and it supports exactly the same set of
redistribution mechanisms. MPLS-VPN code in Cisco IOS has routing information in
CONFIG and EXEC modes with a VRF context. For example, one can issue a “show
ip route vrf vrf_name.”
VPN0 A future feature that will allow the re-distribution of the public Internet BGP tables
into MPLS-VPN tables to be exchanged amongst PEs, if so desired. Contrast that with
the ability of the software (in the future) to refer to the global routing table if a route
lookup fails inside a particular VRF.
Global Routing Table The standard Cisco IOS IP routing table that traditional commands like “show ip
route” utilize.
8
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
VRF Forwarding Table Contains the routes that can be used from a particular set of sites. This uses the FIB
forwarding technology. FIB must be enabled in order to support VPN.
VSI Virtual Switch Interface. A protocol that allows for a common control interface to
some of of Cisco’s ATM switches, for example, the MGX and BPX products. VSI is a
protocol through which a master controls a slave. The Label Switch Controller is the
master that, based on the MPLS information that it has, controls the operation of the
slave ATM switch, which has no knowledge about MPLS. All the switch knows is that
it understands VSI and how to respond to the requests from the master. VSI was
invented by Cisco and implemented first with the LSC. It has recently been submitted
to the Multi-Service Switching Forum for consideration as an open standard.
Label Switching The IETF equivalent of Tag Switching, or the act of switching labels/tags.
Label Header used by an LSR to forward packets. The header format depends upon network
characteristics. In non-ATM networks, the label is a separate, 32-bit header, and QoS
isapplied using the ToS field in IP headers. In ATM networks, the label is the same
length, but an unlimited number of labels can represent different levels of service.
They are placed into the Virtual Channel Identifier/Virtual Path Identifier (VCI/VPI)
cell header. In the core, LSRs read only the label, not the packet header. One key to the
scalability of MPLS is that labels have only local significance between two devices
that are communicating.
LDP Label Distribution Protocol. The IETF equivalent of Tag Distribution Protocol (TDP)
LSR Label Switch Router. The IETF equivalent of a Tag Switch Router (TSR). The core
device that switches labeled packets according to pre-computed switching tables. It can
be a router, or an ATM switch plus LSC.
Edge LSR The IETF equivalent of a Tag Edge Router (TER). The edge device that performs
initial packet processing and classification, and applies the first label. i.e., the role of
an Edge LSR is to turn unlabeled packets into labeled ones. This device can be either a
router, such as the Cisco 7500, or a Cisco IP+ATM switch that has a routing
entity/LSC.
LSC Label Switch Controller. IETF equivalent of Tag Switch Controller (TSC). An LSC is
an MPLS router, with the unique characteristic that it also controls the operation of a
separate ATM switch in such a way that the two of them together function as a single
ATM Label Switch Router. From the outside, the combination of the LSC and ATM
switch are viewed as a single high performance MPLS router. It’s important to note
that the LSC capability is an extension of the basic Label Switch router capability.
LSC functionality is a superset of the functionality of an ATM Label Switch Router.
This paradigm allows a Cisco BPX to be converted to also an MPLS LSR. The MGX
will have that functionality, but with the introduction of the PXM 2 switch controller,
expected out around June of 2000.
LSP Label Switch Path. Path defined by all labels assigned between end points. An LSP can
be dynamic or static. It is the IETF equivalent to TSP.
LFIB Label Forwarding Information Base. IETF equivalent of Tag FIB (TFIB).
Label The IETF equivalent of Tag.
LVC Label VC. IETF equivalent of Tag VC (TVC).
VPN Virtual Private Network
9
9
• MPLS VPNs provide privacy and security
1 Virtual Private Networks
equal to Layer-2 VPNs by constraining the
distribution of a VPN’s routes to only those
1.1 VPN Overview
routers that are members of that VPN2, and
A Virtual Private Network is defined as network by using MPLS for forwarding.
whereby customer connectivity amongst multiple • MPLS VPNs offer seamless integration
sites is deployed on a shared infrastructure with the with customer intranets.
same policies as a private network. Examples of
• MPLS VPNs have increased scalability
Virtual Private Networks are the ones built using
over current VPN implementations, with
traditional Frame-Relay and ATM technologies.
thousands of sites per VPN and hundreds of
Service Providers have been very successful with
thousands of VPNs per service provider.
these services and double-digit growth rates are
expected to continue for a number of years. • MPLS VPNs provide IP Class of Service
(CoS), with support for multiple classes of
An IP VPN is simply a VPN that provides IP service within a VPN, as well as priorities
connectivity on an intra- as well as inter-company amongst VPNs, as well as a flexible way of
basis. In other words, the VPN infrastructure is IP- selecting a particular class of service (e.g,,
aware. based on a particular application).
• MPLS VPNs offer easy management of
Cisco has a number of strategies to address this
VPN membership and easy provisioning of
emerging market for IP intra-networking as well as
new VPNs for rapid deployment.
extra-networking1. The hub-and-spokes pattern
common to existing VPNs is being replaced with • MPLS VPNs provide scalable any-to-any
any-to-any mesh patterns. Moreover, conventional connectivity for extended intranets and
VPNs are based on creating and maintaining a full extranets that encompass multiple
mesh of tunnels or permanent virtual circuits among businesses.
all sites belonging to a particular VPN, using IPSec, Service Providers will utilize the
L2TP, L2F, GRE, Frame Relay or ATM. To functionality of MPLS-VPN to offer an IP
provision and manage these overlay schemes is not service. However, the MPLS-VPN focus is
supportable in a network that requires thousands or not on providing VPNs over the public
tens of thousands of VPNs, and hundreds, thousands, Internet3. Customer requirements for public
and tens of thousands of sites in those VPNs. Internet connectivity can be accomplished
through the injection of external or default
MPLS-based VPNs, which are created in Layer 3, routes into CPE routers. Furthermore, a
are based on the peer model, and therefore Service Provider can optionally provision
substantially more scalable and easier to build and data encryption services for their customers,
manage than conventional VPNs. In addition, value- through the overlaying of IPSec tunnels on
added services, such as application and data hosting, top of MPLS-VPN.
network commerce, and telephony services, can
easily be targeted and deployed to a particular
MPLS VPN because the Service Provider backbone 2
As of Cisco IOS 11.0(5)T, the MPLS-VPN PE routers that
exchange VPN-IPv4 routes via IBGP, receive all routes for all
will recognize each MPLS VPN as a secure, VPNs. They then accept into the appropriate VPN routing
connectionless IP network. tables only the routes that pertain to the respective VPNs.
Development Engineering currently has experimental code that
MPLS-based VPNs offer these benefits: does this more efficiently by performing inbound filtering
before importing all the routes into the global BGP table. The
reader should consult with Product Marketing or the "tag-vpn"
• MPLS VPNs provide a platform for rapid e-mail alias as to availability of that feature in a supported
deployment of additional value-added IP services, release. There is also work for Outbound Route Filtering
(ORF), which is a dynamic way to exchange outbound filters
including Intranets, Extranets, voice, multimedia, between BGP speakers. The ORF draft, which is not published
and network commerce. yet, considers one ORF-type today (NLRI) but it will be
extended in order to use the route-target (ExtComm) attributes,
which will make an IBGP PE router send to an IBGP peer only
the routes that it is interested in (i.e., routes for VPNs it has
been configured with.)
1 3
An extranet is a network connecting IP systems within a company as well Although a Service Provider that offers MPLS-VPN services
as at least one other independent entity. The public Internet can substitute can also utilize that infrastructure to offer global Internet
for the "other independent entity." connectivity.
10
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
11
11
of the number of sites4. Apart from the cost, the IP
routing algorithms scale poorly5 as the number of
direct connections amongst routers grows, which
causes additional problems.
In the overlay model the enterprise customer needs
to come to an agreement with the Service Provider
as to who is responsible for designing and operating
the “backbone” that inter-connects the customer
sites. Neither alternative of the Service Provider
versus the customer designing and operating the
backbone is attractive. If it is the customer’s
responsibility, then the staff for that customer needs
to have IP routing expertise, and most customers do
not have the luxury of affording such
knowledgeable staff. So, this doesn’t scale to a large
number of customers. The second alternative, which 1.2.2.1 Who is Peering with
calls for the Service Provider to design and support Whom?
each and every one of its VPN customers, does not
scale either. That endeavor is fairly expensive, and In the peer model VPN, two C routers are
doesn’t scale to a large number of customers. So routing peers of each other only if they are
neither alternative scales to a large number of VPNs. at the same site. That is, Customer router C1
does not have a peering (neighbor)
relationship with router C2, belonging to the
1.2.2 The “Peer Model” VPNs
same customer, in a different site. Rather,
But why does the enterprise have to design and each site has at least one CE router, which is
operate a backbone network at all, even a virtual peered to at least one PE router.
backbone network, and engage its staff in properly
designing and supporting one or more IGPs? The In the peer model, the SP backbone
SP, which is already providing the backbone routers/switches will themselves be IP
infrastructure, can certainly design and operate the networks. Contrast that to a public X.25,
backbone. Then each site won’t require peering with Frame Relay, or ATM network, where the
a head-end router, and, in the case of partial or full provider’s backbone is a collection of Data
meshing, more neighbor relations. The peer model Link Layer devices that communicate
VPN will merely require that a router attach to one amongst themselves with a common, usually
of the SP’s routers. From the point of view of a proprietary, protocol. Since CE routers do
particular site administrator, every IP address that not exchange routing information with one
isn’t located at one’s own site is reachable via the another, there is never any need for data to
SP’s backbone network. How the SP’s backbone travel through transit CE routers6. Data goes
decides to route the traffic is the SP’s concern. from an ingress CE router, through a
sequence of one or more P (backbone)
routers, to an egress CE router. Hence we
get optimal routing.
Since CE routers do not directly7 exchange
routing information with other CEs, there is
no virtual backbone for the enterprise to
manage. It is of course possible to use an IP
Figure 1 - MPLS-VPN Architectural components
backbone as if it were a Frame Relay
network, setting up “virtual circuits” of a
4
Actually, the number of connections is [(N-1) * N] / 2, where N is the sort amongst CE routers. This is commonly
number of sites. So, four fully-meshed sites require [4*3]/2 = 6
connections. Five sites stipulate 10 links, and so on.
5 6
One cannot envisage an IGP like EIGRP, OSPF, or ISIS with several Versus for example CE routers in a non-fully-meshed Frame
hundred or thousand peers. Amongst the many problems with this design Relay environment.
7
is the CPUs of the routers will be overwhelmed, while the routing CE routers do exchange routing information with one another,
overhead will occupy a good portion of the WAN bandwidth. but indirectly, via PEs.
12
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
done by means of some form of IP tunneling. This is 1.2.2.3.2 What Contiguous Address
still the overlay model though, and has all the Space!
problems of that model. The peer model is very Topologically, Internet Service Providers
different. (ISPs) generally try to assign addresses in a
meaningful way. That is, the address a
1.2.2.2 Advantages of the Peer Model system has should be related to where it
The peer model has many advantages: attaches to the ISP’s network. This sort of
addressing scheme allows routing
• The amount of work the Service Provider needs to information to be aggregated, reducing the
do in order to provision a new enterprise customer routing load on the P routers8.
site is O(1) – independent of the number of sites in
the VPN. In contrast, amount of work is O(n) in However, many enterprise networks have
the overlay model, where n is the number of sites in addressing schemes that will not necessarily
the VPN. map well to the backbone topology of any
SP. Addresses in the enterprise network will
• The peer model allows optimal routing of customer
have been assigned to the various sites
data through the Service Provider’s backbone, as
without regard to where in the SP’s network
there will not be the need for transit CEs.
the site will eventually be attached.
• The enterprise customer does not have a virtual
backbone to manage. The customer just plugs in a This reduces the opportunities for route
CE router at each site. aggregation, with more enterprise routing
• The peer model makes it simple for a service information passed into the P network.
provider to provide server hosts that can be Expecting the enterprise customer to re-
accessed from multiple VPNs. With the overlay address all its IP hosts is unrealistic, due to
model, this requires a virtual circuit from each VPN. administrative burdens and hence the costs
Thus the peer model provides advantages to of such an endeavor.
producer and consumer - less work for the SP, and
more value for the enterprise customer. 1.2.2.3.3 Private Addressing in the C
Networks
1.2.2.3 Difficulties in Providing the Another problem is that many enterprise
Peer Model networks use non-unique addresses. That is,
the addresses are unique within the
While the peer model has many advantages over the particular enterprise, but not amongst
overlay model, there are a number of problems that enterprises. If a single IP backbone is shared
must be solved before the peer model can be used. as the backbone for two different enterprise
1.2.2.3.1 Routing information overload in the networks, and those enterprise networks had
P routers non-unique addresses, the P routers will
have no way of ensuring that packets get to
The peer model requires that routing information
their intended destinations.
from the C network flow into the P network. One of
the main problems in large IP backbones is the 1.2.2.3.4 Access Control
amount of resources (memory, processing, If an enterprise buys IP backbone service
bandwidth) needed to store the routing information. from an SP, it wants some assurance that
If one takes an IP backbone and then adds routing packets which enter their enterprise network
information from a whole set of enterprise networks, come from that enterprise network, and that
the P routers will never be able to handle it. packets which originate in the enterprise
So, to make the peer model successful, the amount network do not leave the enterprise network
of routing information which the backbone routers “by accident.” If enterprise network routing
must maintain, has to scale well as the number of
VPNs supported by the backbone grows. 8
In fact, this IP route aggregation, referred to as Classless
Inter-Domain Routing, or CIDR, has allowed Service Providers
to slow down the growth in the size of the Internet routing
tables. Please refer to the appropriate CIDR RFCs for further
information.
13
13
information is passed into the P network, how can particular VPN. Therefore, a packet can
this sort of inter-enterprise communication be enter a VPN only through an interface on
controlled? the PE that is associated (via provisioning)
with that VPN.
Of course, two enterprises may wish to
Traffic separation occurs without tunneling
communicate directly, or over the Internet. But they
or encryption, because it is built directly into
want such communication to occur through
the network itself10.
firewalls. However, they do not want intra-
enterprise communication to occur through firewalls. Briefly, MPLS-VPN has the following
Yet they may want to use the same ISP backbone characteristics:
for all these purposes.
• Multiprotocol BGP extensions are used to
1.2.2.3.5 Encryption encode customer IPv4 address prefixes into
To ensure privacy, one should set up point-to-point unique VPN-IPv4 NLRIs.
encrypted tunnels between every pair of CE routers • Extended BGP community attributes are
(this is the IPSec model). This particular solution used to control the distribution of customer
lends itself nicely to the overlay model, since the routes.
overlay model already uses a point-to-point tunnel • Associated with each customer route is an
between each pair of CE routers9 that are “routing MPLS label. The PE router that originates
adjacencies”. It lends itself less nicely to the peer the route assigns this. The label is then used
model, since in the peer model, a given CE router to direct data packets to the correct egress
has no way of knowing the identity of the next CE CE router.
router for a given packet.
• MPLS forwarding is used across the
provider backbone based on either dynamic
1.3 MPLS-VPNs IP paths, or Traffic Engineered paths.
1.3.1 MPLS-VPN Overview • When a data packet is forwarded across the
backbone, two labels are used. The top
MPLS-VPN is a “true peer VPN” model that label directs the packet to the appropriate
performs traffic separation at Layer 3, through the egress PE router. The second label indicates
implementation of separate IP VPN forwarding how that egress PE should forward the
tables. packet.
MPLS-VPN enforces traffic separation amongst • Cisco MPLS CoS/QoS mechanisms provide
customers by assigning a unique VRF to each service differentiation amongst customer
customer’s VPN. data packets.
• Standard IP forwarding is used between the
This delivers the same level of privacy as ATM or PE and CE routers. The PE associates each
Frame Relay, because users in a specific VPN CE with a per-site forwarding table that
cannot see traffic outside their VPN. The same level contains only the set of routes available to
of privacy is provided because of the following that CE router.
factors:
1.3.2 MPLS VPN
(1) forwarding within the Service Provider backbone is Requirements
based on labels,
There are four major technologies that
(2) LSPs within the Service Provider infrastructure
provide the ability to actuate MPLS-VPN.
begin and terminate at the PE routers,
The first is Multi-Protocol BGP. The second
(3) it is the incoming interface on a PE router’s is route filtering based on the “route target”
interface, that determines which forwarding table to extended BGP community attribute. We use
use when handling a packet, and MPLS forwarding to carry the packets
(4) each incoming interface on a PE router is across the backbone. Finally, Provider Edge
associated (at the provisioning time) with a
10
Please refer to the Security sub-section at the end of the
9
That is, the IP address of the other end of the point-to-point tunnel is detailed section on MPLS-VPN.
reachable from the source.
14
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
routers utilize multiple routing and forwarding 1.3.4 MPLS-VPN - The True
instances. Peer Model
MPLS-VPN utilizes BGP amongst PE routers to In this VPN paradigm, MPLS is used for
facilitate Customer routes. This is facilitated forwarding packets over the backbone, and
through extensions to BGP to carry addresses other BGP is used for distributing routes over the
than IPv411. In particular, we’ve defined a new backbone. The primary goal of this method
address family of the VPN-IPv4 address. It consists is to support the outsourcing of IP backbone
of a 96-bit address, which has a 64-bit prefix that services for enterprise networks. It does so
we call the Route Distinguisher, that makes the in a manner that is simple for the enterprise,
address unique in the backbone. The MPLS Label is while still scalable and flexible for the
carried as part of a BGP routing update. The routing Service Provider, and while allowing the
update also carries the addressing/reachability Service Provider to add value. These
information. So long as the 96-bit entity is unique techniques can also be used to provide a
across the MPLS-VPN network, proper connectivity VPN which itself provides IP service to
is transacted even if different enterprise customers customers.
used non-unique IP addresses.
The CE router is a routing peer of the PE(s)
to which it is attached13, but is not a routing
1.3.3 MPLS-VPN Prerequisites peer of CE routers at other sites. Routers at
On the appropriate router platforms, one has to have different sites do not directly exchange
the PLUS image set. It is also a requirement to have routing information with one another; in fact,
CEF or FIB12 switching on the PEs. they do not even need to know of other CEs
at all (except in the case where this is
On the P side, MPLS has to be configured. necessary for security purposes). As a
consequence, very large VPNs (i.e., VPNs
There are no requirements on the CE router, except
with a very large number of sites) are easily
IP static or dynamic forwarding. If so desired, RIP
supported, while the routing configuration
II or EBGP is required if either one of these
for each individual site is greatly simplified.
protocols is spoken in common with the Service
Provider equipment. The True Peer Model maintains proper
administrative boundaries between the C
network and the P network. Solely the SP
VPN A/Site 2 should administer the PE and P routers, and
10.2/16
VPN B/Site 1 the SP’s customers should not have any
10.2/16
10.1/16
CE1B1 CEA2
management access to it. Solely the
CEB2
VPN B/Site 2
CE2B1
P1 PE2 customer should administer the CE devices
P2
(unless the customer has contracted the
PE1 PE3
CEA1 P3
CEA3 management services out to the SP).
10.3/16
CEB3
10.1/16 VPN A/ Site 3 In the True Peer Model, each site in a
VPN A/ Site 1 10.4/16
VPN B/ Site 3 particular C network can interface to the
Figure 2 - VPN Peer Model Service Provider backbone via RIP II, static,
or EBGP routing. When configuring an
EBGP peering relationship between the CE
and PE, the C network is modeled as an
Autonomous System; the CE router(s) at a
site use External BGP to exchange routing
information with the PE router(s) at that site.
11
RFC2283: "Multi-protocol Extensions for BGP-4," makes it possible
RIP II or static routing are current
for BGP to carry routing information other than just IPv4 – multiple alternatives to EBGP. The C network’s
network layer protocols, one of which is MPLS. The extensions are interior routing protocol (i.e., its IGP) runs
backward compatible - a router that supports the extensions can inter-
operate with a router that doesn't support the extensions. It will utilize
"classical BGP-4."
12 13
Cisco Express Forwarding, also referred to internally as Forwarding Statically, via RIP II, or EBGP. OSPF support will occur in
Information Base. the future.
15
15
independently at each site, and does not run in the P interior routers of the backbone receive
network. In other words, the True Peer paradigm routes for VPN-IPv4 addresses.
models each VPN as an internet, with the backbone,
the P network(s), connecting the sites together. When providing VPNs in this manner, the
border routers are the PE routers. In the
public Internet, all routes known to any
1.3.5 New Address Family
border router must be known to all, or else
IPv4 addresses from a particular C network are complete end-to-end connectivity may not
mapped, by the PE14 routers, into corresponding be possible. However, when providing
addresses in a new address family, the VPN-IPv4 multiple VPNs over a shared backbone, it is
address family15. A VPN-IPv4 address is a twelve- neither necessary nor desirable to provide
octet quantity. The first eight bytes are known as the complete end-to-end connectivity. End-to-
Route Distinguisher (RD); the original IPv4 address end connectivity should be provided only
occupies the next four bytes. If two C networks amongst systems which are in the same
attach to the same P network, and a given IP address VPN. VPN-IPv4 routing information for a
is used in both C networks, the PE routers which particular C network is exchanged, using
attach to the C networks will translate the IPv4 BGP, only by the PE routers that attach to
address into two different VPN-IPv4 addresses (by that C network. PE routers that do not attach
using a different RD), depending on which C to a particular C network will not receive the
network the address belongs to. Thus even when routing information for that network. Hence
two C networks use the same IPv4 address, the the amount of routing information stored in
corresponding VPN-IPv4 addresses will be different. a PE router is not proportional to the total
Within the P network, routes to addresses that are number of VPNs supported by the P
within C networks are maintained as routes to VPN- network, but only to the number of VPNs to
IPv4 addresses16. Hence the fact that there is overlap which that P router is directly attached.
between the address spaces of the two C networks
does not cause any ambiguity in the P network. As 1.3.7 Route Reflectors
long as a given end system has an address which is
unique within the scope of the VPNs that it belongs If a particular C network is attached to a
to, the end system itself does not need to know large number of PE routers, the need to have
anything about VPNs. each one distribute routing information to all
the others can cause a scalability problem.
However, this problem can be addressed by
1.3.6 Thou Shalt Not Have to Carry
means of well known techniques, such as
50,000 Routing Entries
the use of BGP Route Reflectors. That is,
The Internet needs to be a default-free zone for the rather than having a PE distribute the routes
Service Providers that are carrying the IP prefixes in directly to another PE, the two PEs can be
full. Hence when a Service Provider needs to carry clients of a common route reflector. A given
those routes via BGP4 across their backbone, all route reflector need not handle routes from
their IBGP peers need to have full IP routes. , This all VPNs; the set of VPNs using a particular
causes scaling problems as the number of routes backbone can be partitioned, and each set of
gets very large. However, hierarchical label VPNs can be assigned to a different Route
switching provides a forwarding mechanism which Reflector. In no case is there ever any one
allows one to maintain exterior routes only at border system that needs to know all the routes.
routers. Although BGP17 is used to distribute VPN This fact makes it possible to scale the
routing information, one does not require that the system virtually without limit.
Before a PE router distributes routing
information (about other sites in the C
14
This mapping or translation, from IPv4 to VPN-IPv4 is referred to as network) to a CE router, it translates the
MPLS-VPN edge function.
15
RFC2547, Section 4.1 VPN-IPv4 addresses into IPv4 addresses, by
16
That is, a P router (which is actually an MPLS LSR) has an VPN-IPv4 stripping off the first eight bytes. Thus the
route that the appropriate PE – the one directly attached to the CE router
that is originating the C route – will translate to/from IPv4 and VPN-IPv4.
CE routers see only ordinary IPv4 addresses;
17
That is, BGP with Mult-protocol extension support, as discussed only in the P network is the longer
elsewhere in this document.
16
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
addressing form used. The C routers do not need to 1.3.9 Take Two Labels Before
support the VPN-IPv4 address family. Delivery
As is indicated in figure 4, an ingress PE
1.3.8 Packet Forwarding - PEs receives “normal” IP Packets from its CE
Utilize BGP While Ps use LDP router, at which point the PE does an “IP
Longest Match” from VPN_B FIB , finds
iBGP next hop PE2, and imposes a stack of
VPN C/Site 2
12.1/16
labels: EXTERIOR label L2 + INTERIOR
VPN B/Site 1
CEA2
11.2/16 label L8.
CE1B1 Static
11.1/16 RIP
RIP CEB2
RIP P1 PE2 VPN B/ Site 2
CE2B1 BGP
PE1 P2
CEA1 Static P3
PE3 RIP
CEB3 CEA3
16.2/16
BGP
16.1/16 VPN A/ Site 3
VPN A/ Site 1 12.2/16
VPN C/Site 1
17
17
the egress PE router for a given packet is In the True Peer Model, each enterprise
determined, label switching is used to route the network becomes an Internet, with the P
packet to the chosen egress PE router. The ingress network taking the role of backbone SP.
PE router wraps the packet in a label switching
header, where the label corresponds to a route 1.3.10 Intranets and Extranets
(through the P network) to the egress PE router.
Intermediate P routers forward the packet based on The procedures described above allow an
the label, not based on the IP destination address. SP to provide extranets, as well as intranets.
Therefore the intermediate P routers do not need to An intranet is simply a collection of one
know anything about C network routing. Nor do customer’s set of sites that are inter-
they need to know anything at all about VPN-IPv4 connected via one particular technology – in
addresses. In fact, the P routers can simultaneously this case, MPLS-VPN. When customer C1
support MPLS-VPN as well as non MPLS-VPN wishes to communicate with customer C2
Edge LSRs. via this MPLS-VPN technology, one has to
construct an extranet.
As stated earlier, the ingress PE router applies two
labels to the packet. When PE1 sends, via BGP, a To provide an intranet, the PE routers
VPN-IPv4 route to PE3, it also specifies a label for ensure that the forwarding table for the C
the route. If this route belongs to a particular C network contains only routes learned from
network, PE3 enters this route into the forwarding other sites of the C network. To provide an
table it uses for packets from that C network. When extranet, the PE routers allow the C
PE3 receives a packet from the CEA3 router in the network’s forwarding table to contain
network, it looks up the packet’s destination address selected routes from other C networks (or
in this forwarding table. As a result, it determines from the P network itself).
the packet’s BGP next hop (i.e., PE1), and the label
assigned by that next hop. This label is pushed onto 1.3.11 Security
the packet’s label stack. Then PE3 looks up, in its So far, we have shown that MPLS-VPN
“regular” forwarding table (i.e., in the forwarding functionality provides a level of security
table containing routes through the P network), the which is equivalent to that provided by
address of PE1. The P router which is PE3’s next overlay VCs based on Frame Relay or ATM
hop to PE1 (i.e., P3 in figure 3) will have used LDP networks.
to bind a label to the route to PE1. This label is then
pushed on the packet’s label stack, and the packet Security in MPLS-enabled VPN networks is
sent to P3. delivered through a combination of BGP
and IP address resolution.
The topmost label, used for routing the packet
through the P network, corresponds to a route to the BGP is a routing information distribution
egress PE router. The bottom label is used by the protocol that defines who can talk to whom
egress PE router to determine the particular output using multi-protocol extensions and
port (or sub-interface) on which it should transmit community attributes. VPN membership
the packet. Thus the egress PE router avoids the depends upon logical ports entering the
need to look up the packet’s destination address at VPN, where BGP assigns a unique RD. RDs
all. are unknown to end users, making it
impossible to enter the network on another
The MPLS-VPN True Peer connectivity model access port and spoof a flow. Only pre-
allows a P network to support any number of VPNs assigned ports are allowed to participate in
while not stipulating a large amount of routing the VPN. In an MPLS-enabled VPN, BGP
information that needs to be stored in any one P distributes forwarding information base
router. It prevents data from flowing amongst VPNs, (FIB) tables about VPNs to only members
since it maintains separate forwarding information of the same VPN, providing native security
for each VPN. Furthermore, it does not assume that via logical VPN traffic separation.
VPNs use addresses that are unique. Thus it avoids Furthermore, IBGP PE routing peers can
the problems of the overlay model, while also perform TCP segment protection using the
avoiding the problems of the Virtual Peer model.
18
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
MD5 Signature Option19, when establishing IBGP extranets, a provider explicitly configures
peering relationships, further reducing the reachability amongst VPNs.
likelihood of introducing spoofed TCP segments
into the IBGP connection stream, amongst PE
routers.
The provider, not the customer, associates a specific
VPN with each interface when provisioning the
VPN20. Users can only participate in an intranet or
extranet if they reside on the correct physical or
logical port and have the proper RD. This setup
makes a Cisco MPLS-enabled VPN virtually
impossible to enter. As is the case with Frame
Relay and other VPN technologies, mis-
Figure 5 Using MPLS to Build VPNs
configurations by the Service Provider may increase
the chances of data spoofing.
In Figure 5, those who are in VPN 15 never
Within the core, a standard Interior Gateway learn about the existence of VPN 354. As
Protocol (IGP) such as OSPF or IS-IS distributes one can see in the forwarding table for the
routing information. Provider edge LSRs set up indicated router, it only contains address
paths amongst one another using LDP to entries for members of the same VPN. It
communicate label-binding information. Label rejects requests for addresses not listed in its
binding information for external (customer) routes forwarding table. By implementing a
is distributed amongst PE routers using BGP multi- logically separate forwarding table for each
protocol extensions instead of LDP, because they VPN, each VPN itself becomes a private,
easily attach to VPN-IP information already being connectionless network built on a shared
distributed. The BGP community attribute infrastructure, and we have attained an IP
constrains the scope of reachability information. VPN-aware network.
BGP maps FIB tables to provider edge LSRs
belonging to only a particular VPN, instead of IP limits the size of an address to 32 bits in
updating all edge LSRs in the provider network. the packet header. The VPN IP address adds
64 bits in front of the header, creating an
IP Address Resolution
“extended” address in routing tables that
MPLS-enabled IP VPN networks are easier to classical IP cannot forward. MPLS solves
integrate with IP-based customer networks. this problem by forwarding traffic based on
Subscribers can seamlessly inter-connect with a labels, so one can use MPLS to bind VPN
provider service without changing their intranet IP routes to label-switched paths (LSPs).
applications, because MPLS-enabled networks have LSRs need to be concerned with reading
built-in application-awareness. Customers can even labels and not packet headers. We have
transparently use their existing IP address space already discussed how the edge LSR (i.e.,
without NAT because each VPN has a unique PE)
identifier.
• identifies the appropriate VPN for a packet
MPLS VPNs remain unaware of one another. it needs to deliver on behalf of its customer
Traffic is separated amongst VPNs using a logically • indexes it to the forwarding table for that
distinct forwarding table and RD for each VPN. VPN
Based on the incoming interface, the PE selects a
• obtains the corresponding label and
specific forwarding table, which lists only valid
destinations in the VPN, thanks to BGP. To create • applies the label to the packet.
From there on, MPLS manages forwarding
through the LSR core. Since labels only
exist for valid destinations, this is how
19
RFC2385, "Protection of BGP Sessions via the TCP MD5 Signature MPLS delivers both security and scalability.
Option."
20
See the sub-section titled " MPLS-VPN Overview" for details on how
MPLS-VPNs facilitate data privacy.
19
19
When a VC is provided using the overlay model, the In an MPLS environment, one needs to
egress interface for any particular data packet is a consider both packet and cell routers. In a
function solely of the packet’s ingress interface; the packet environment, MPLS Class of Service
IP destination address of the packet does not is fairly straightforward. An MPLS LSR
determine its path in the backbone network21. Thus simply copies the IP precedence to the
unauthorized communication into or out of a VPN is MPLS Class of Service field. The CoS field
prevented. can then be used as input to Weighted RED
as well as Weighted Fair Queuing. The
In MPLS-VPNs, a packet received by the backbone challenge is to provide MPLS CoS in
is first associated with a particular VPN, by environments where LSRs are connected to
stipulating that all packets received on a certain ATM. Class of Service is more involved on
interface (or sub-interface) belong to a certain VPN. ATM interfaces and within the ATM LSRs
Then its IP address is looked up in the forwarding themselves. Quality of Service concepts in
table associated with that VPN. The routes in that ATM MPLS environments are discussed
forwarding table are specific to the VPN of the later.
received packet. So the ingress interface determines
a set of possible egress interfaces, and the packet’s QoS is discussed in-depth in other resources
IP destination address is used to choose from among available from Cisco. The emphasis in this
that set. This prevents unauthorized communication section is engage the reader in investigating
into and out of a VPN. differentiated services in MPLS Intranet and
Extranet VPN environments.
The next few pages will engage the reader
1.3.12 Quality of Service in MPLS- in Quality-of-Service concepts, with
Enabled Networks information on the tools available from
Cisco Systems. Following that, the proper
Quality of Service (QoS) and Class of Service (CoS) QoS paradigms are highlighted in the Edge
enable the Service Provider to offer differentiated as well as the Core of a network. ATM-
IP-based service levels and tiered pricing. QoS based MPLS and non-MPLS networks are
refers to the overall service levels that a network can then discussed.
deliver. CoS refers to a specific level category in
which a user or other model is classified, such as
1.3.12.1 DiffServ
Gold, Silver, and Best-Effort service classes.
DiffServ is an emerging IETF QoS standard
In order to properly deploy QoS, enforcement of that will increase the available ToS bits in a
QoS measurements and policies needs to occur all packet header from the three used by IP
the way through the network, from the first inter- Precedence to six enabling up to 64 classes
network forwarding device (like a layer 2 switch or of service. This offers Providers the ability
router) to the last entity that front-ends the ultimate to support very granular traffic handling.
IP destination station. QoS requires an end-to-end Cisco is actively participating in the
approach as it requires mechanisms at the edge and development of the DiffServ standard, and
in the core. plans to support it in the future.
To Service Providers, QoS is desirable because it
has the potential of helping them support many 1.3.12.2 Design Approach For
types of traffic (data, voice and video) over the Implementing QoS
same network infrastructure. It allows them to offer In mega-scale VPNs, applying QoS on a
business-quality IP VPN services, and the end-to- flow-by-flow basis is not practical because
end service level agreements (SLAs) that customers of the number of IP traffic flows in carrier-
demand. sized networks. The key to QoS in large-
scale VPNs is implementing controls on a
set of service classes that applications are
21
For example, a Frame Relay switch is concerned with only input grouped into. For example, a Service
interface and input DLCI, which then gets mapped to the appropriate
output interface and output DLCI. Frame Relay switching is independent
Provider network may implement three
of the C network’s IP infrastructure.
20
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
21
21
1.3.12.3.3 Differential Discard and Scheduling WFQ ensures that queues are not starved for
Policies bandwidth, and that traffic achieves
Weighted Random Early Discard (WRED) is a predictable service, so that mission-critical
differential discard policy applied to packets that are traffic receives highest priority to ensure
backing up in a queue during outbound congestion. guaranteed delivery and latency. Lower-
WRED is the differentially-oriented counterpart to priority traffic streams share the remaining
simple “tail drop” drop policy. capacity proportionally amongst them.
On the other hand, Weighted Fair Queuing (WFQ) The WFQ algorithm also addresses the
is a differential scheduling policy that results in problem of round-trip delay variability. If
packets of different classes getting different multiple high-volume conversations are
amounts of link bandwidth during outbound active, their transfer rates and inter-arrival
congestion. WFQ is the differetianlly-oriented periods are made much more predictable.
counterpart to “FIFO” scheduling policy. Algorithms such as the Transmission
Control Protocol (TCP) congestion control
1.3.12.3.3.1 WRED and slow-start features are much enhanced
WRED provides congestion avoidance. This by WFQ. The result of WFQ is more
technique monitors network traffic load in an effort predictable throughput and response time
to anticipate and avoid congestion at common for each active flow.
network bottlenecks, as opposed to congestion 1.3.12.3.3.3 Cooperation between WFQ
management techniques that operate to control and IP Precedence
congestion once it occurs.
WFQ is IP Precedence-aware, that is, it is
WRED is designed to avoid congestion in able to detect higher priority packets marked
internetworks before it becomes a problem. It with precedence by the IP Forwarder and
leverages the flow monitoring capabilities of TCP. schedule them faster, providing superior
It monitors traffic load at points in the network and response time for this traffic. The IP
discards packets if the congestion begins to increase. Precedence field has values between 0 (the
The result is that the source detects the dropped default) and 7. As the precedence value
traffic and slows its transmission. WRED interacts increases, the algorithm allocates more
with other QoS mechanisms to identify class of bandwidth to that conversation to make sure
service in packet flows. It selectively drops packets that it gets served more quickly when
from low-priority flows first, ensuring that high- congestion occurs. WFQ assigns a weight to
priority traffic gets through. each flow, which determines the transmit
order for queued packets. It provides the
WRED is supported on the same interface as WFQ25. ability to re-order packets and control
One needs to run both of these queueing algorithms latency at the edge and in the core. By
on every interface where congestion is likely to assigning different weights to different
occur. One applies WRED by IP precedence and service classes, a switch can manage
WFQ by service class in the core. buffering and bandwidth for each service
1.3.12.3.3.2 WFQ class. This mechanism constrains delay
bounds for time-sensitive traffic such as
WFQ addresses situations where it is desirable to voice or video.
provide consistent response time to heavy and light
network users alike without adding excessive 1.3.12.3.3.4 Class-Based Weighted Fair
bandwidth. WFQ is a flow-based queuing algorithm Queuing
that does two things simultaneously: it schedules Class-based Weighted Fair Queuing
interactive traffic to the front of the queue to reduce (CBWFQ) provides the ability to guarantee
response time, and it fairly shares the remaining service levels and maximize bandwidth
bandwidth amongst lower-priority flows. utilization.
CBWFQ is a more sophisticated version of
Cisco’s Custom Queuing feature that has
25
At least in Cisco IOS 12.0(5)T and higher. The author is not sure about been in existing in IOS for several years. It
other IOS revisions.
22
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
allows application service classes to be mapped to a different “deficit counters” to queues. Then
portion of network link. For example, a QoS class all queues are emptied in an alternating,
can be configured to occupy at most 35% of an OC3 round-robin fashion. How much is emptied
link. at each stop is determined by the value of
the deficit counter, and this varies per-queue.
Figure 6 provides an example of three service For instance, if there are three service
classes: classes, there are three active queues in a
• “Gold”, with guaranteed latency and delivery GSR. Queue 1 is the special queue. In
alternate priority, the GSR empties part of
• “Silver”, with guaranteed delivery
Queue 1 until it meets the value kept in the
• “Bronze”, a best effort service deficit counter. The GSR then empties
In Service Provider MPLS-VPN CBWFQ Queue 2 until its deficit value is consumed,
environments, bandwidth is configured per class, then alternates to Queue 1 again. Then it
not per connection. takes packets from Queue 3 and goes back
to Queue 1. How much traffic is taken at a
given pass is determined by the value of the
deficit counter, and that is set by the
administrator to reflect service class and
bandwidth requirements.
Strict priority queues does not use the deficit
counter, but all other queues do. Strict
priority queues have absolute priority over
Figure 7 – Example of Class-Based Weighted-Fair Queuing all other traffic. The GSR always empties
this queue before attending to other queues.
This mechanism may cause bandwidth
By separately allocating bandwidth and buffering starvation in other queues during busy
space, Service Providers can tailor each class to the periods. Other queues are emptied in a
specific service needs of their customers. For round-robin fashion, and how much traffic
example, a Service Provider can offer a “Gold is forwarded is determined by their deficit
class” for voice traffic. Here, a large bandwidth counter values, as with Alternate priority
allocation policy ensures that sufficient bandwidth queuing.
is available for all the cells in the voice queue while
a moderately-sized buffer limits the potential cell
delay. Since these shares are relative weights,
1.3.12.4 Proper QoS Tool
allocating a large share to Gold means that a
Placement in the
minimum is guaranteed. If the gold class is
Network
underutilized, the bandwidth will be shared by the CoS/QoS application is easy to implement
remaining classes in proportion to their weights. in a non-ATM MPLS environment. As one
This ensures maximum efficiency and that paying needs to utilize QoS in an end-to-end
customer traffic will be sent if bandwidth is fashion, two areas of implementation need
available. to be looked at – Ingress/Egress (Edges) of
the network, as well as the core.
1.3.12.3.4 Modified Deficit Round Robin
Modified Deficit Round Robin (MDRR) is an Briefly,
mechanism in development for use in routed cores • at the edges of the network traffic
based on the Cisco 12,000 GSR. It provides CoS- enforcement/policing need to be present.
based queue scheduling to assign priority to traffic Therefore, at the edges of the network,
based on its ToS value (as defined at the edge by Cisco’s Committed Access Rate (CAR) is
CAR). A single special queue can be set to provide required, and
either Alternate or Strict priority.
• in the core of the network, concepts such as
Alternate priority queues are scheduled to alternate Weighted Random Early Detection
with other queues. Alternate priority assigns (WRED); Weighted Fair Queuing (WFQ);
23
23
Class-Based WFQ (CBWFQ); and finally Modified Deluxe” Port Adapters; and at the interface
Deficit Round Robin (MDRR26) need to be level on the predecessor of “PA-A3” : the
considered. “PA-A1.” Interface-level queueing on the
1.3.12.4.1 QoS At the Edge PA-A3 will be supported in a maintenance
release.
The next few sections simply point to QoS tools to
be deployed at the Edge of a network. Details of MPLS CoS Phase 2 (MCP2) is expected to
those tools have already been covered. be available in Calendar Quarter (CQ)3,
1999. MCP2 will permit CAR to mark the
1.3.12.4.1.1 IP Precedence
Label CoS field directly (during label
At is at the Ingress of a network that IP Precedence imposition), so that the original IP
setting, if policy calls for it, is modified. It is also Precedence is preserved end-to-end. This is
possible, for certain environments, for the IP known as “CoS Transparency” and has been
Precedence field to get adjusted at the Egress of the requested by some Service Providers. The
network. However, this document focuses on reader is encouraged to keep in touch with
Ingress-based IP Precedence adjustments. engineering regarding availability of this
feature.
1.3.12.4.1.2 Committed Access Rate
1.3.12.4.2 QoS In the Core
The next few sections refer to Cisco IOS QoS tools
to be deployed in the core of a network. As was the 1.3.12.5.1 ATM MPLS-VPN
case with the Edge concepts, details of those tools CoS/QoS
have already been covered. Mechanisms
24
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
25
25
Reservation28 (RRR or R3) that has yet to
become a standard. Other camps, lead by
Nortel are advocating, for Traffic
Engineering, a specification in the draft
stage, called Constraint-based Routing with
Label Distribution Protocol. Please refer to
the Appendix titled “Cisco’s MPLS
Efforts,” for further information.
Layer 3 traffic engineering is the ability to
control specific routes across a network to
reduce congestion and improve the cost-
efficiency of carrying IP traffic in routed
networks. The goal of Layer 3 traffic
engineering is maximizing utilization of
network resources. IP networks typically
have multiple pathways that traffic can take
to reach its destination. Relying solely on
routing protocols, some paths in a service
provider network may become congested,
while others are underutilized.
Around the same timeframe of the release of
MPLS-VPN support, MPLS will provide an
elegant traffic engineering mechanism
Figure 12 - Implementations of Single-VC Mode
called Routing for Resource Reservation
(RRR29). RRR is currently undergoing
1.3.12.5.1.4 Single- vs Multi-VC Modes EFT30 testing. It provides a flexible, scalable
The Multi-VC paradigm works well with VC Merge, way to support traffic engineering at Layer 3
which saves VC space, reducing the number of VCs in service provider environments. MPLS lets
used by SPs in a large network. Multi-VC mode will managers map traffic flows to explicitly
allow the different classes to be engineered configure paths, sending selected traffic
separately. For example, one set of VCs may have along pre-calculated routes by engineering
short buffers, allowing guarantees of end-to-end the network to deliver specific capacity to
delay across the network. individual VPN customers. RRR allows
network operators to dynamically apply
ABR mode, on the other hand, uses fewer VCs in traffic-engineering rules that override the
small networks, but does not work with VC Merge. traditional IP forwarding mechanisms,
It’s quite difficult to implement with VC Merge. providing for more efficient link utilization.
And it can introduce large delays for certain classes RRR creates one or more explicit paths with
in the network. bandwidth assurances for each traffic trunk.
It takes into consideration the policy
1.3.13 MPLS Traffic Engineering constraints associated with trunks, the
It is also possible to use MPLS for traffic physical network resources, and network
engineering, routing certain flows along pre-defined topology. This way, packets are no longer
layer 3 pathways. At the present time, traffic routed based solely on destination address,
engineering is manually configured on the Cisco but also on resource availability and traffic
devices. Cisco is pioneering work on an open classification policy, as specified by the
standard for dynamically performing traffic network administrator. It also provides fast,
engineering based not only on network policy, but Layer 3 restoration and protection
also on congestion and link availability throughout
the network. This is the Routing for Resource 28
Cisco has recently decided to refer to the use of RRR in
MPLS environments as "MPLS Traffic Engineering."
29
Also referred to as "R3."
30
Early Field Trial.
26
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
mechanisms that are not available in traditional IP which is in that VPN. Similarly, a PE router
networks. is considered attached to a particular site if it
is attached to a CE device which is in that
1.3.13.1.1 RRR Requirements site. A set of IP hosts constitutes a site if
RRR leverages several foundation technologies: those entities communicate with one another
without the use of the backbone.
• CEF,
• MPLS, In general, a site will consist of a set of IP
• Link State IGPs with extensions (OSPF with hosts that are in geographic proximity.
“Opaque” LSAs, as well as IS-IS with new TLV31s), However, this is not always true. Take, for
example, two geographic locations
• An enhanced version of RSVP. connected via a leased line, over which an
The reader will note that Cisco does not currently IP routing protocol32 like OSPF is running.
support Opaque OSPF as an IGP in MPLS TE That environment will constitute a single
environments. site, because communication between the
two locations does not involve the use of the
RSVP sessions are created on a per-traffic-trunk
backbone.
basis for high scalability.
A CE device is always regarded as being in
In summary, future releases of MPLS will
a single site33. A site, however, may belong
implement constraint-based routing to automatically
to multiple VPNs.
establish explicit paths for balancing traffic loads to
conform to specified policy. The CE router is a routing peer of the PE(s)
to which it is attached, but is not a routing
Next, interested reader can explore the details of
peer of CE routers at other sites. Routers at
MPLS-VPN.
different sites do not directly exchange
routing information with one another. As a
consequence, very large VPNs (i.e., VPNs
1.4 Detailed MPLS-VPN Functional with a very large number of sites) are easily
Characteristics supported, while the routing strategy for
each individual site is greatly simplified.
MPLS is a standardized version of Cisco’s original
Tag Switching technology. MPLS and Tag The MPLS-VPN architecture has the
Switching are identical in principle, and nearly following characteristics:
identical in operation. Cisco’s TDP and the MPLS’s
• Conventional IP addressing is used within
LDP are nearly identical in general function, but use
the Provider backbone. All provider
incompatible message formats and some different
addresses are unique, globally valid, IPv4
procedures. Cisco has a leadership position in the
addresses. Furthermore, provider addresses
advancement of MPLS-VPN, as MPLS software is
are also unique across all customer VPNs34.
largely based on Cisco’s Tag Switching technology.
This is the only restriction placed on
In the future, as certain components of MPLS, like
customer address assignment.
LDP, become standards, Cisco will introduce
software features that will adhere to those • Routing information for provider addresses
specifications. is distributed amongst provider routers
using an interior routing protocol. MPLS
The reader is encouraged to consider Cisco’s value- switching is used across the provider
add in the MPLS packet switching area: backbone, using IGP labels based on the
provider address space.
• VPNs using MPLS + Multi-protocol BGPv4. That
is, MPLS-VPN technology is a value-add itself
• CoS/QoS
32
Or even static routing.
In MPLS-VPN, a PE router is considered attached 33
Although a site may consist of multiple "virtual sites", as we
to a particular VPN if it is attached to a CE device shall see later in the document.
34
However, we do allow to use customers’ addresses on the PE
interfaces that connect the PE to the CE router. These
31
Type, Length, Value tuple, or parameters utilized by ISIS. addresses may not be globally unique.
27
27
• Provider edge routers connect to one or more through multicast label switching and
customer edge routers, in one or more customer sparse-mode PIM by using multicast VPN-
VPNs. IPv4 addresses in PIMv2 messages.
PE routers may learn customer routing information
in several ways: 1.4.1 Per-Site37 Forwarding
Tables in the PEs
• Through static configuration.
Each PE router maintains one or more VRF
• Through EBGP. MPLS-VPN provides the
tables. A particular packet’s IP destination
flexibility as to whether or not customer address are
address is looked up in the appropriate VRF
carried forward to other VPNs, as well as to the
table only if that packet has arrived directly
Internet.
through an interface which is associated
• Through other dynamic routing protocols that with that table.
support classless routing35.
A PE generally maintains only one
Controlled access is provided through the desired forwarding table per site, even if it is
leakage of routing information. A customer can multiply connected to that site.
select, either through configuration or dynamically,
which addresses are exported to and imported from 1.4.1.1 Internet Connectivity
other VPNs. In order to support firewall access, the
Suppose a PE router receives a packet from
same address can be exported from different sites
a particular interface, and the packet’s
internally and externally.
destination address does not match any entry
IBGP is used amongst PE routers to distribute in the appropriate VRF table38. If the SP is
customer address information. Customer addresses providing Internet access for that site, then
are exchanged using the Multi-protocol Extensions the PE’s Internet forwarding table will be
to BGP36. Addresses are encoded in “VPN-IPv4” consulted.
format, creating a globally unique value by
At this point, Cisco’s MPLS-VPN code
combining a VRF with the customer’s IP address.
supports VRF default routing through the
Existing BGP mechanisms, such as Route injection of the default route into each VPN
Reflectors, can be used to improve the scalability of that the PE participates in39. In a future
the IBGP information exchange within a provider’s release, Cisco PE routers will provide the
backbone. ability to define a “default VPN” (or VPN0),
to simplify the configuration of default
VPN-IPv4 addresses for a given VPN need only be routing.
distributed amongst the set of PE routers which
connect to, or import addresses from, that VPN. 1.4.1.2 My VPN Doesn’t Talk to
This means that each PE router need only contain a Your VPN
subset of the full IPv4-VPN addressing table.
To maintain proper isolation of one VPN
The VPN-IPv4 addressing information includes from another, it is important that P router
second-level labeling information. When a PE not accept a labeled packet from any
router forwards a unicast VPN packet to another PE adjacent PE router unless
router, it utilizes the first level label to select the
IBGP destination - the target PE router. The second (a) the label at the top of the label stack was
level label (VPN label) comes from the VPN-IPv4 actually distributed by the P router to the
information distributed by the target PE router, and PE device, and
selects the outgoing CE link. (b) the P router can determine that use of that
label will cause the packet to leave the
In the future, VPN multicast forwarding across the backbone before any labels lower in the
provider backbone will be achieved, perhaps
37
We shall be using the terms "per-site forwarding table" and
35
Therefore RIP I and IGRP are NOT appropriate IGPs. At the present "VRF table" inter-changeably.
38
time, Cisco supports RIP II. Support for OSPF will occur in the future. That is, the forwarding table associated with that site.
36 39
RFC2283, "Multi-protocol Extensions for BGP-4." That is, for every site that requires Internet connectivity.
28
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
stack will be inspected, and before the IP header 1.4.2 Same VPN, Different
will be inspected. These restrictions are necessary Routes to the Same
in order to prevent packets from entering a VPN Address
where they do not belong.
Although a customer site may be in multiple
The per-VRF tables in a PE router are only used for VPNs, MPLS-VPN provides the controls for
packets arriving from a CE router that is directly differentiated routes to a given host at that
attached to the PE device. They are not used for site. Suppose, for example, assume one has
routing packets arriving from other routers that an intranet consisting of sites A, B, and C,
belong to the SP backbone. As a result, there may and an extranet consisting of A, B, C, and
be multiple different routes to the same system, the external site D. Suppose that at site A
where the route followed by a given packet is there is a server, and that the goal is for
determined by the site from which the packet enters clients from B, C, or D to be able to use that
the backbone. So one may have one route to a given server. Suppose also that at site B there is a
IP network for packets from the extranet (where the firewall. One needs the ability to direct all
route leads to a firewall), and a different route to the the traffic from site D to the server to pass
same network for packets from the intranet. through the firewall, so that traffic from the
extranet can be access controlled. On the
1.4.1.3 Virtual Sites other hand, traffic from C need not pass
In some cases, a particular site may be divided by through the firewall on the way to the server,
the customer into several virtual sites, perhaps by since this is intranet traffic.
the use of VLANs. Each virtual site may be a MPLS-VPN provides the flexibilty to set up
member of a different set of VPNs. The PE then two routes to the server. One route, used by
needs to contain a separate forwarding table for sites B and C, takes the traffic directly to
each virtual site. For example, if a CE supports ISL site A. The second route, used by site D,
or 802.1Q VLANs, and wants each VLAN mapped takes the traffic instead to the firewall at site
to a separate VPN, the packets sent between CE and B. If the firewall allows the traffic to pass, it
PE will be contained in the site’s VLAN then appears to be traffic coming from site B,
encapsulation, and this can be used by the PE router and follows the route to site A.
to assign the packet to a particular virtual site.
Support for VRF on a VLAN trunking port has not 1.4.3 MPLS-VPN Backbone
yet been tested, but is available in the code on the The SP’s backbone is comprised of the PE
platforms that already have CEF (FIB) support on and P routers.
those VLAN ports.
The MPLS-VPN paradigm provides the
CEF support for 802.1Q on the GSR’s Gigabit ability that the routing information about a
Ethernet Line Card is expected to be made available particular VPN be present ONLY in those
in the 12.0 S code path in July. The author of this PE routers which attach to that VPN. In
document does not currently know whether that particular, the P routers do not need to have
CEF switching on 802.1Q trunks has been ANY per-VPN routing information
committed for the 7500 family yet. whatsoever.
Only one CE router is ever needed per site, even if It is possible for VPNs to span multiple
there are multiple virtual sites. Of course, a different service providers. At this stage, Cisco’s
CE router can be used for each virtual site, if that is MPLS-VPN does not support inter-provider
desired. One can then design a customer VPN that connectivity. The author of this document
has a CE router with multiple VPNs configured on a will publish availability information
VLAN trunking port, with packets from the regarding this feature, as soon as it is
customer site funneling through a Catalyst LAN obtained from Product Marketing.
switch with the proper VLAN encapsulation.
Once supported, the path between PE
routers that represent two different Service
Providers will be part of a private peering
29
29
arrangement between the two providers. At that There are three possible ways that a PE
point, there will exist mutual trust between the two router can obtain this information from the
providers. In particular, each provider must trust the CE router:
other to pass it only correct routing information, and
to pass it MPLS-labeled packets only if those 1. The PE and CE routers may be BGP peers,
packets have been labeled by trusted sources. and the CE router may use BGP to tell the
PE router the set of address prefixes which
are at the CE router’s site. This interaction
1.4.4 A Set of Sites Inter-connected
is discussed in more detail in a later
via a MPLS-VPN Backbone
section40. Great care has been taken to
If all the sites in a VPN are owned by the same simplify the use of BGP in the most
enterprise, the VPN is a corporate “intranet.” If the common scenarios. When BGP is used
various sites in a VPN are owned by different between a CE and a PE router, it is always
enterprises, the VPN is an “extranet.” A site can be EBGP.
in more than one VPN; e.g., in an intranet and 2. The PE and CE routers may be RIPv2 peers,
several extranets. Both intranets and extranets are and the CE may use RIPv2 to tell the PE
regarded as VPNs. router the set of address prefixes which are
reachable at the CE router’s site. This
While the basic unit of inter-connection is the site,
interaction is discussed in more detail in the
the MPLS-VPN architecture allows a finer degree of
section titled “Alternatives to BGP for
granularity in the control of inter-connectivity. For
CE/PE Routing Exchange.”
example, at a given site, it may be desirable to allow
only certain specified systems to connect to certain 3. Static routing may be used. That is, the PE
other sites. That is, certain systems at a site may be router may be configured with the set of
members of an intranet as well as members of one address prefixes reachable via a particular
or more extranets, while other systems at the same CE router.41
site may be restricted to being members of the Support for OSPF an an alternative IGP
intranet only. between the CE and PE routers will be
incorporated in the future.
We regard both intranets and extranets as VPNs. In
general, when we use the term VPN we will not be To prevent loops, the routes which a PE
distinguishing between intranets and extranets. learns from a CE should be routes to
systems which are at the CE’s site. If a PE
A CE router can be in multiple VPNs, although it learns from a particular CE about a route
can only be in a single site. When a CE router is in which is not at that CE’s site, some special
multiple VPNs, one of these VPNs will be procedure must be used to ensure that the
considered its primary VPN. In general, a CE PE can determine that the route leads off the
router’s primary VPN will be the intranet which site.42
includes the CE router’s site.
A CE router is a routing peer of only the PE
A PE router may attach to CE routers in any number router(s) to which it attaches; and, via static,
of different sites, whether those CE routers are in or typically an IGP, other C routers which
the same or in different VPNs. A CE router may, for are at the same site as the CE router.
robustness, attach to multiple PE routers, of the
same or of different service providers.
1.4.6 Backdoor Connections
A PE router attaches to a particular VPN if it is a Suppose one has the customer environment
router adjacency of a CE router which is in that depicted in figure1 13 below. There are three
VPN. 2
CE routers – CE B1, CE B1, and CEB3 ,
connected respectively to PE1, PE2, and
1.4.5 CE-PE Routing Exchange
The PE routers which attach to a particular VPN 40
The section titled "BGP Between CE and PE Routers."
need to know, for each of that VPN’s CE routers, 41
See section "Alternatives to BGP for CE/PE Routing
Exchange."
which addresses in that VPN are at each CE’s site. 42
See the sections titled "BGP Between CE and PE Routers,"
and "Alternatives to BGP for CE/PE Routing Exchange."
30
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
1
PE3. Suppose further that
2
CE B1 has a “backdoor” be applied at the ASBR boundaries to not
IP connection with CE B1 (e.g., the two CE routers accept intra-site routes from the PE
are speaking OSPF to each other on a non-MPLS- neighbors.
VPN interface). What are the routing implications?
1.4.7 Per-site VRFs on PEs
Each PE router maintains one or more “per-
site forwarding tables”. Every site to which
the PE router is attached is associated with
one of these tables. A particular packet’s IP
destination address is looked up in a
particular per-site forwarding table only if
that packet has arrived directly from a site
which is associated with that table.
31
31
associated with that site. If the SP is not providing where the route followed by a given packet
Internet access for that site, then the packet is is determined by the site from which the
discarded as undeliverable. If the SP is providing packet enters the backbone. For example,
Internet access for that site, then the PE’s Internet one may have one route to a given IP
forwarding table will be consulted. This means that address for packets from the extranet (where
in general, only one forwarding table per PE need the route leads to a firewall), and a different
ever contain routes from the Internet, even if route to the same IP address for packets
Internet access is provided. Cisco IOS does not from the intranet.
currently support the ability to revert to the “global”
routing table (i.e., the router’s “standard” or “non- 1.4.8 PEs Redistribute
VRF” IP routing table that everyone is used to Customer Routes to One
seeing in Cisco IOS), if there is a route lookup Another
failure in a VRF. So one has to inject default routes
into each VRF that requires that kind of PE routers use IBGP to distribute VPN
connectivity. So it is appropriate, using the current routes to one another, or rather, to cause
IOS MPLS-VPN functionality, to inject default into VPN routes to be distributed to one another.
the VRF routing table, for example, from a A BGP speaker can only install and
centralized server site with Internet connectivity. In distribute one route to a given address prefix.
this case, the PE router peered with the CE device The inclusion of the VPN-IPv4 Address
connected to the centralized server can inform its Family allows a Service Provider to set up
PE peers of the default route that it either originates each customer VPN to have its own IP
or learns dynamically from the CE neighbor. It is address space, which means that the same
also possible in this centralized environment to address can be used in any number of VPNs,
server multiple VPNs. where in each VPN the address denotes a
As an alternative to the “global routing table” different system. MPLS-VPN makes it
capability mentioned above, there is also a plan to possible for BGP to install and distribute
have a VPN0 on a PE router. The future VPN0 multiple routes to a single IP address prefix.
capability will allow PE IBGP peers to exchange the Utilization of policy route maps helps
global Internet routes amongst themselves or with a determine which sites can use which routes.
Route Reflector. One must however ensure that when several
such routes are installed by BGP, only one
such must appear in any particular VRF
1.4.7.3 Traffic Isolation
forwarding table.
To maintain proper isolation of one VPN from
another, it is important that no router in the These goals are met by the use of a new
backbone accept a labeled packet from any adjacent address family, the VPNv4 or VPN-IPv4
non-backbone device unless (a) the label at the top Address Family.
of the label stack was actually distributed by the
backbone router to the non-backbone device, and (b) 1.4.8.1 VPN-IPv4 Address
the backbone router can determine that use of that Family
label will cause the packet to leave the backbone The BGP Multi-protocol Extensions allow
before any labels lower in the stack will be BGP to carry routes from multiple “address
inspected, and before the IP header will be families.” MPLS-VPN utilizes the “VPN-
inspected. These restrictions are necessary in order IPv4 address family.” A VPN-IPv4 address
to prevent packets from entering a VPN where they is a 12-byte quantity, beginning with an 8-
do not belong. byte “Route Distinguisher (RD)” and ending
The per-site forwarding tables in a PE are ONLY with a 4-byte IPv4 address. If two VPNs use
used for packets that arrive from a site that is the same IPv4 address prefix, the PEs
directly attached to the PE. They are not used for translate these into unique VPN-IPv4
routing packets that arrive from other routers that address prefixes. This ensures that if the
belong to the SP backbone. As a result, there may same address is used in two different VPNs,
be multiple different routes to the same address, it is possible to install two completely
32
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
different routes to that address, one for each VPN. considered comparable by BGP. In all other
cases, a VPN-IPv4 address and its
The RD does not by itself impose any semantics. It corresponding globally unique IPv4 address
contains no information about the origin of the route will be considered non-comparable by BGP.
or about the set of VPNs to which the route is to be
distributed. The purpose of the RD is solely to allow A given VRF table will only have one VPN-
one to create distinct routes to a common IPv4 IPv4 route for any given IPv4 address prefix.
address prefix. Other means are used to determine When a packet’s destination IP address is
where to redistribute the route47. matched against a VPN-IPv4 route, only the
IPv4 part is actually matched.
The RD can also be used to create multiple different
routes to the very same host or subnet. Earlier, we A PE needs to be configured to associate
gave an example where the route to a particular routes, which lead to a particular CE with a
server had to be different for intranet traffic than for particular RD. The PE may be configured to
extranet traffic. Creating two different VPN-IPv4 associate all routes leading to the same CE
routes that have the same IPv4 part, but different with the same RD, or it may be configured
RDs can achieve this. This allows BGP to install to associate different routes with different
multiple different routes to the same system, and RDs, even if they lead to the same CE.
allows policy routing to be used48 to decide which
packets use which route. 1.4.8.2 Import & Export Route
Policy
The RDs are structured so that every service
provider can administer its own “numbering space” In this section, we discuss the way in which
(i.e., can make its own assignments of RDs), the distribution of the VPN-IPv4 routes is
without conflicting with the RD assignments made controlled.
by any other service provider. An RD consists of a
two-byte type field, an administrator field, and an 1.4.8.2.1 Target VPN Attribute
assigned number field. The value of the type field Every VRF table is associated with one or
determines the lengths of the other two fields, as more “Target VPN” attributes.
well as the semantics of the administrator field. The
administrator field identifies an assigned number When a VPN-IPv4 route is created by a PE
authority, and the assigned number field contains a router, it is associated with one or more
number, which has been assigned, by the identified “Target VPN” attributes. These are carried
authority, for a particular purpose. For example, one in BGP as attributes of the route.
can have an RD whose administrator field contains Any route associated with a target VPN
an Autonomous System number (ASN), and whose must be distributed to every PE router that
(4-byte) number field contains a number assigned has a forwarding table associated with that
by the SP to whom IANA has assigned that ASN. target VPN. When a PE router receives such
RDs are given this structure in order to ensure that a route, it is eligible to be installed in each
an SP, which provides VPN backbone service, can of the PE’s per-site forwarding tables49 that
always create a unique RD when it needs to do so. are associated with that target VPN.
However, the structuring provides no semantics. (Whether it actually gets installed depends
When BGP compares two such address prefixes, it on the outcome of the BGP decision
ignores the structure entirely. process.)
If the Administrator sub-field and the Assigned In essence, a Target VPN Attribute
Number sub-field of a VPN-IPv4 address are both identifies a set of sites. Associating a
set to all zeroes, the VPN-IPv4 address is particular Target VPN attribute with a route
considered to have exactly the same meaning as the allows that route to be placed in the VRF
corresponding globally-unique IPv4 address. In tables that are used for routing traffic which
particular, this VPN-IPv4 address and the is received from the corresponding sites.
corresponding globally unique IPv4 address will be
47
See section "The Target VPN Attribute."
48 49
Refer to the section "The VPN of Origin Attribute." Or VRF tables.
33
33
There is a set of Target VPNs that a PE router send the packet directly to the site from to
attaches to a route received from site S (export which the route leads. This will usually
function, into the IBGP routing table to distribute to mean that it just sends the packet to the CE
other peer PEs for that VPN). And there is a set of router from which it learned the route.
Target VPNs that a PE router uses to determine
whether a route received from another PE router In most cases, the label assigned by a PE
could be placed in the forwarding table associated will cause the packet to be sent directly to a
with site S (import function). The two sets are CE, and the PE that receives the labeled
distinct, and need not be the same. In a majority of packet will not look up the packet’s
customer VPN environments, however, one expects destination address in any forwarding table.
to have the import and exports functions to be the The MPLS label that is distributed in this
same. way is only usable if there is a label-
The function performed by the Target VPN attribute switched path (LSP) between the router that
is similar to that performed by the BGP installs a route and the BGP next hop of that
Communities Attribute. However, the format of the route. We do not make any assumptions
latter is inadequate, since it allows only a two-byte about the procedure used to set up that label
numbering space. It would be fairly straightforward switched path. It may be set up on a pre-
to extend the BGP Communities Attribute to established basis, or it may be set up when a
provide a larger numbering space. It should also be route that would need it is installed. It may
possible to structure the format, similar to what we be a “best effort” route, or it may be a
have described for RDs, so that a type field defines traffic-engineered route. Between a
the length of an administrator field, and the particular PE router and its BGP next hop
remainder of the attribute is a number from the for a particular route there may be one LSP,
specified administrator’s numbering space. or there may be several, perhaps with
different QoS characteristics. All that
When a BGP speaker has received two routes to the matters for the VPN architecture is that
same VPN-IPv4 prefix, it chooses one, according to some label switched path between the router
the BGP rules for route preference. and its BGP next hop exists.
A route can only have one RD, but it can have All the usual techniques for using Route
multiple Target VPNs. In BGP, scalability is Reflectors51 to improve scalability, e.g., RR
improved if one has a single route with multiple hierarchies, are available. If route reflectors
attributes, as opposed to multiple routes. One can are used, there is no need to have any
eliminate the Target VPN attribute by creating more particular Route Reflector know all the
routes (i.e., using more RDs), but the scaling VPN-IPv4 routes for all the VPNs supported
properties would be less favorable. by the backbone. One can have separate
route reflectors, which do not communicate
1.4.8.3 Route Re-distribution with each other, each of which supports a
subset of the total set of VPNs.
If two sites of a VPN attach to PEs which are in the
same Autonomous System, the PEs can distribute
1.4.8.4 Building VPNs with
VPN-IPv4 routes to each other by means of an
Extended Community
IBGP connection between them. Alternatively, each
Attributes
can have an IBGP connection to a route reflector.
When a PE router distributes a VPN-IPv4 route via By setting up the Target VPN and VPN of
BGP, it uses its own address as the “BGP next hop”. Origin attributes properly, one can construct
It also assigns and distributes an MPLS label. different kinds of VPNs.
(Essentially, PE routers distribute not VPN-IPv4
routes, but Labeled VPN-IPv4 routes50) When the
PE processes a received packet that has this label at
the top of the stack, the PE will pop the stack, and 51
Bates, T. and R. Chandrasekaran, "BGP Route Reflection:
An alternative to full mesh IBGP", RFC 1966, June 1996.
Reader can also refer to Sam Halabi’s textbook on routing in
50
Please refer to Rekhter and Rosen, "Carrying Label Information in the Internet, which provides BGP4 details.
BGP4", Work in Progress.
34
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
If a customer requests that an SP create a Closed routing tables of the backbone. This enables
User Group (CUG) which contains a particular set MPLS, at each node in the backbone
of sites, it will be possible to do so by creating a network, to assign a label corresponding to
particular Target VPN attribute value to represent the route to each PE router.
the CUG. This value then needs to be associated
with the VRF tables for each site in the CUG, and it When a PE receives a packet from a CE
needs to be associated with every route learned from device, it chooses a particular VRF table in
a site in the CUG. Any route which has this Target which to look up the packet’s destination
VPN attribute will need to be redistributed so that it address. If a match is found, then if the
reaches every PE router attached to one of the sites packet is destined for a CE device attached
in the CUG. to this same PE, the packet is sent directly to
that CE device.
Alternatively, suppose one desired, for whatever
reason, to create a “hub and spokes” kind of VPN. If the packet is not destined for a CE device
This can be done by the use of two Target Attribute attached to this same PE, the packet’s “BGP
values, one meaning “Hub” and one meaning Next Hop” is found, as well as the label
“Spoke”. Then routes from the spokes could be which that BGP next hop assigned for the
distributed to the hub, without causing routes from packet’s destination address. This label is
the hub to be distributed to the spokes. pushed onto the packet’s label stack, and
becomes the bottom label. Then the PE
Suppose one has a number of sites that are in an looks up the IGP route to the BGP Next Hop,
intranet and an extranet, as well as a number of sites, and thus determines the IGP next hop, as
which are in the intranet only. Then there may be well as the label assigned to the address of
both intranet and extranet routes, which have a the BGP next hop by the IGP next hop. This
Target VPN identifying the entire set of sites. The label gets pushed on as the packet’s top
sites which are to have intranet routes only can filter label, and the packet is then forwarded to
out all routes with the “wrong” VPN of Origin.52 the IGP next hop. (If the BGP next hop is
the same as the IGP next hop, the second
These two attributes allow great flexibility in label may not need to be pushed on,
allowing one to control the distribution of routing however.)
information among various sets of sites, which in
turn provides great flexibility in constructing VPNs. At this point, MPLS will carry the packet
across the backbone and into the appropriate
CE device. That is, all forwarding decisions
by P routers and PE routers are now made
1.4.8.5 Packet Forwarding across the by means of MPLS, and the packet’s IP
Backbone header is not looked at again until the packet
MPLS-VPN utilizes a two-level label stack to allow reaches the CE device. The final PE router
intermediate routers in the backbone, that do not will pop the last label from the MPLS label
have any information about the routes to the VPNs, stack before sending the packet to the CE
to forward packets from one VPN site to another. device, thus the CE device will just see an
ordinary IP packet.
PE routers need to insert /32 IP host address
prefixes for themselves into the IGP routing tables When a packet enters the backbone from a
of the backbone. This enables MPLS, at each node particular site via a particular PE router, the
in the backbone network, to assign a label packet’s route is determined by the contents
corresponding to the route to each PE router. of the forwarding table, which that PE
router associated with that site. The
PE routers (and, in the future, ASBRs, which forwarding tables of the PE router where the
redistribute VPN-IPv4 addresses53) need to insert packet leaves the backbone are not relevant.
/32 address prefixes for themselves into the IGP As a result, one may have multiple routes to
the same system, where the particular route
52
As stated elsewhere in this document, VPN-of-Origin support in Cisco chosen for a particular packet is based on
IOS software is slated for a future release.
53
Current Cisco MPLS-VPN software does not support inter-Service
Provider connectivity
35
35
the site from which the packet enters the backbone. A route may be associated with multiple
attributes of this type.
1.4.9 PEs Learn Routes from CEs
If a route is to be distributed only within its
Before a PE can redistribute a VPN-IPv4 route intranet, then a single Target VPN attribute
learned from a site, it must assign certain attributes should be associated with the route, and its
to the route. There are three such attributes54: value field (see section “Route
Distinguishers (RDs)”) should be identical
1. Site of Origin to the value field of the route’s VPN of
This attribute uniquely identifies the site of the Origin attribute. If the route is also to be
corresponding CE router from which the PE router distributed to one or more extranets,
learned the route. additional Target VPN attributes will be
used.
The same Site of Origin attribute must be used for
all CE routers that are at the same site, whether or The use of a single Target VPN attribute
not those CEs are attached to the same PE. value which identifies a set of VPNs can be
used to provide a Closed User Group
Distinct Site of Origin attributes must be used for concept (see the “Closed User Groups”
CE routers which are at distinct sites. section). In this case, the VPN of Origin will
not be necessary.
This attribute will be used, when distributing the
routes among the PEs, to prevent certain sorts of These attributes are to be encoded as BGP
loops. Extended Communities Attributes55.
A route must be associated with at most one
1.4.9.1 PEs Redistribute VPN-
attribute of this type.
IPv4 Routes into IPv4
2. VPN of Origin VRFs
This attribute uniquely identifies the primary VPN How does a PE know which set of routes
of the corresponding CE router. It will typically be needs to be distributed to which set of VPNs.
used to identify the CE router’s intranet, if there is The architecture supports three different
one. When attached to a route, this attribute can models:
then be thought of as identifying the enterprise 1. Manual configuration of the PE router.
owning the system or systems to which the route
2. When the CE and the PE talk BGP to each
corresponds.
other, one may allow the CE to specify the
In situations in which it is necessary to identify the Target VPN attribute (but not the Site of
source of a route, it is this attribute, not the RD, Origin or VPN of Origin attributes). The PE
which must be used. will respect the Target VPN attribute
specified by the CE.
A route must be associated with at most one
3. A hybrid mode, in which the PE is
attribute of this type.
configured with a list of acceptable Target
3. Target VPN VPNs, and the CE specifies from among
this list. The PE may also be configured
This attribute uniquely identifies a VPN or a set of with a set of mandatory Target VPNs. In
VPNs to which the route should be distributed. It is this mode, the PE removes any Target VPN
the value of this attribute (a) which determines the attributes which the CE specifies but which
set of PE routers that will receive this route, and (b) aren’t in the configured list of acceptable
for each such PE, determines the set of CE routers Target VPNs; the PE then adds any
which will receive this route. additional Target VPNs which are in the
mandatory category.
54
At the present time, Cisco’s MPLS-VPN code supports neither the VPN
55
of Origin nor the Site of Origin Extended Attibutes. Section "BGP Extended Community Attributes."
36
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
The PE will assign a label to each route that it learns a VPN-IPv4 route which is different than
from the CE. It will know that if it receives any (i.e., contains a different RD than) R1.
labeled packets from another P router that have this 3. The PE and CE routers may be OSPF peers.
label value, the label stack must be popped and the In this case, the site should be a single
packet forwarded to the particular CE router. While OSPF area, the CE should be an ABR in
it is allowable for the PE router to assign the same that area, and the PE should be an ABR
label to all routes it learns from a given CE, it is which is not in that area. Also, the PE
highly recommended that the PE router assign a should report no router links other than
different label to each route. This will allow a those to the CEs which are at the same site.
particular route to migrate from one CE router to ( As mentioned earlier, Cisco’s software
another without requiring the PE router to does not currently support OSPF as a CE-
redistribute any labels to its BGP peers. PE IGP)
The PE router translates IPv4 addresses received 4. The PE and CE routers may be BGP peers,
from the CE router, into VPN-IPv4 addresses, using and the CE router may use BGP - in
the RD configured on the interface through which particular, EBGP to tell the PE router the
the IPv4 packet came. The PE then treats these set of address prefixes which are at the CE
VPN-IPv4 routes as input to BGP. In no case will router’s site. (This technique can be used in
routes from a site ever be leaked into the backbone’s stub VPNs or transit VPNs.)
IGP. From a purely technical perspective, this is
by far the best technique:
1.4.9.2 PE-CE Routing Protocol
a) Unlike the IGP alternatives, this does not
Options
require the PE to run multiple routing
Exactly which PE-CE route re-distribution algorithm instances in order to talk to
techniques are possible depends on whether a multiple CEs
particular CE is in a “transit VPN” or not. A “transit b) BGP is explicitly designed for just this
VPN” is one which contains a router that receives function - passing routing information
routes from a “third party” (i.e., from a router which between systems run by different
is not in the VPN, but is not a PE router), and that administrations
redistributes those routes to a PE router. A VPN that c) If the site contains “BGP backdoors”, i.e.,
is not a transit VPN is a “stub VPN”. The vast routers with BGP connections to entities
majority of VPNs, including just about all corporate other than PE routers, this procedure will
enterprise networks, are expected to be “stubs” in work correctly in all circumstances. The
this sense. other procedures may or may not work,
The possible PE/CE distribution techniques are: depending on the precise circumstances.
d) Use of BGP makes it easy for the CE to
1. Static routing (i.e., configuration) may be used. pass attributes of the routes to the PE. For
(This is likely to be useful only in stub VPNs.) example, the CE may suggest a particular
2. PE and CE routers may be RIP peers, and the CE Target for each route, from among the
may use RIP to tell the PE router the set of address Target attributes that the PE is authorized to
prefixes which are reachable at the CE router’s site. attach to the route.
When RIP is configured in the CE, care must be On the other hand, using BGP is likely to be
taken to ensure that address prefixes from other something new for the CE administrators,
sites (i.e., address prefixes learned by the CE router except in the case where the customer itself
from the PE router) are never advertised to the PE. is already an Internet Service Provider (ISP).
More precisely: if a PE router, say PE1, receives a If a site is not in a transit VPN, note that it
VPN-IPv4 route R1, and as a result distributes an need not have a unique Autonomous System
IPv4 route R2 to a CE, then R2 must not be Number (ASN). Every CE whose site which
distributed back from that CE’s site to a PE router, is not in a transit VPN can use the same
say PE2, (where PE1 and PE2 may be the same ASN. This can be chosen from the private
router or different routers), unless PE2 maps R2 to ASN space, and the PE will strip it out.
37
37
Routing loops are prevented by use of the Site of 1. Length: 1 octet
Origin Attribute. The Length field indicates the length of the
label (24 bits) plus the length in bits of the
1.4.10 CEs Learn Routes from PEs address prefix, including the length of the
RD. Thus its minimum value is 88,
In general, a PE may distribute to a CE any route
corresponding to a label and an RD,
which the PE has placed in the forwarding table
followed by an IPv4 prefix of length 0. This
which it uses to route packets from that CE. There is
will indicate a prefix that matches all VPN-
one exception: if a route’s Site of Origin attribute
IPv4 addresses that begin with the specified
identifies a particular site, that route must never be
RD. The maximum value of this field is 120,
redistributed to any CE at that site.
corresponding to a labeled VPN-IPv4 host
In most cases, however, it will be sufficient for the address.
PE to simply distribute the default route to the CE.
2. Label: 3 octets
(In some cases, it may even be sufficient for the CE
to be configured with a default route pointing to the The Label field carries one or more labels
PE.) This will generally work at any site which does (that correspond to the stack of labels). Each
not itself need to distribute the default route to other label is encoded as 3 octets, where the high-
sites. (For example, if one site in a corporate VPN order bit contains “Bottom of Stack”. The
has the corporation’s access to the Internet, that site following high-order three bits must be zero.
might need to have default distributed to the other The remaining 20 bits contain the label
site, but one could not distribute default to that site value.
itself.)
3. Prefix:
• Route Distinguisher: 8 octets
1.4.11 ISP as a Stub VPN
• IPv4 address prefix
If a particular VPN is actually an ISP, but its CE This contains the IPv4 prefix, padded out to
routers support MPLS, then the VPN can actually as many bits as needed to make it end on an
be treated as a stub VPN. The CE and PE routers octet boundary. (The value of any such
need only exchange routes which are internal to the padding bits is irrelevant.)
VPN. The PE router would distribute to the CE
router a label for each of these routes. Routers at The encoding described above allows a
different sites in the VPN can then become BGP single BGP Update message to carry
peers. When the CE router looks up a packet’s multiple VPN-IPv4 routes, each with its
destination address, the routing lookup always own label(s). The label(s) specified for a
resolves to an internal address, usually the address particular route (and associated with its
of the packet’s BGP next hop. The CE labels the prefix) must be assigned by the router which
packet appropriately and sends the packet to the PE. is identified by the value of the Next Hop
attribute of the route.
1.4.11.1 Encoding VPN-IPv4 Address
In the future, it may be possible to support
Prefixes in BGP
the simultaneous installation of multiple
The procedures defined in RFC 2283, Multi- routes to the same VPN-IPv4 address prefix,
protocol Extensions for BGP-4, will be used to as long as each route is associated with a
carry Labeled VPN-IPv4 address prefixes amongst different Label value. Currently, however,
PE routers. The Labeled VPN-IPv4 address prefix BGP will consider two Labeled VPN-IPv4
appears in the Network Layer Reachability addresses to be equal if they have the same
Information (NLRI) field. VPN-IPv4 address prefix part, even if they
have different Tag values.
Before two BGP peers can make use of the Labeled
VPN-IPv4 address family, they must both agree to
do so by means of a Capability Negotiation.
The NLRI is encoded as one or more triples of the
form <label, length, prefix>:
38
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
39
39
• MPLS-VPN-IPv4 Address Family, so that labeled router which has the full routing table for
VPN-IPv4 addresses can be distributed amongst PE the VPN, and which can choose the route to
routers. the egress PE router.
• BGP Capability Negotiation should be used to
determine whether a BGP peer has the appropriate 1.4.13 Security
capabilities.
Under the following conditions:
1.4.12.1 Ordinary BGP Routes a) labeled packets are not accepted by
PE routers may also have “ordinary” EBGP and backbone routers from untrusted or
IBGP connections which have nothing to do with unreliable sources, unless it is known that
VPNs. On such ordinary connections, IPv4 routes, such packets will leave the backbone before
rather than VPN-IPv4 routes, are distributed; routes the IP header or any labels lower in the
learned from CE routers will not be sent on such stack will be inspected, and
connections, unless those routes are to be exported b) labeled VPN-IPv4 routes are not accepted
to the public Internet. from untrusted or unreliable sources.
The security provided by this architecture is
1.4.12.2 Internet Filtering identical to that provided by Frame Relay-
Any router with a BGP connection to the Internet or ATM-based VPNs.
must ensure, through proper filtering, that it doesn’t It is also possible for a VPN user to provide
leak any routes to the Internet that are not part of the themselves with enhanced security by
P network’s AS, or of the AS of some client making use of IPSec.
network of the P network. When routes are leaked
to the Internet, all private AS numbers must be
1.4.13.1 Cisco’s Support of
removed (via outbound filtering) from the AS-path.
IPSec on CEs Today
VPN-IPv4 routes will not be accepted from Currently, one has to manually configure the
connections to the internet. crypto-maps in each of the CE routers. In
that mode, MPLS-VPN packet delivery and
1.4.12.3 Route Aggregation IPSec encryption are independent. In order
It is possible for a PE router that distributes Labeled to manually configure the crypto-maps, you
VPN-IPv4 routes to do a certain amount of route has to have a priori knowledge of the next
aggregation. Two VPN-IPv4 routes with the same CE router that a given packet will traverse,
RD may be aggregated, and the aggregate may be and hence static routing needs to be
distributed as a Labeled VPN-IPv4 route to BGP introduced for that IPSec tunnel destination.
peers.
1.4.13.2 IPSec Work in Progress
Then when a packet arrives with a particular
incoming label, and the label corresponds to an Work is under way to dynamically develop
aggregated VPN-IPv4 route, the P router will not be the route to the next CE – precisely the idea
able to choose the next hop based solely on the label. behind routing in the first place!
However, the label will identify the RD. The P RFC 254756 considers a feature in which a
router must pre-pend the RD to the IP destination PE uses BGP to tell a CE, say, CE1, what
address of the packet, in order to get the packet’s the next hop CE, say, CE2, is for a
VPN-IPv4 route. The VPN-IPv4 address can then particular address prefix. Then this
be looked up in the routing table. information from routing can be used by
This aggregation procedure may be useful whenever CE1 to choose the IPSEC tunnel that leads
a single PE router needs to be able to route to a to CE2. Cisco has not implemented this
very large number of VPNs. If each VPN is feature.
assigned a single RD, then the PE router will need
as little as one route per VPN, rather than one route
per address prefix. The BGP next hop will be a P
56
Section 9, "Security."
40
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
The Service Providers that are interested in MPLS- • Configure Routing Protocol Families
VPN are supportive of Cisco’s IPSEC/MPLS-VPN • Configure IBGP for distribution of VPN
integration story, as they think that IPSEC/MPLS- routes
VPN integration may be needed in the future, but
realistically don’t know exactly what the 1.5.2 MPLS-VPN
requirements are. Configuration Entities
In this section, we highlight the concepts
1.4.14 MPLS VPN Functional that IOS relies upon in order to configure
Summary MPLS-VPN on a PE router. We point to
Up until today, all VPN solutions have used some VRFs, Router Address Family, VPN-IPv4
kind of tunneling or overlay technology, be they NLRIs57, and Route-target Communities58.
VCs, L2TP, L2F, GRE or IP set tunnels. These
technologies are all based on creating overlays, not 1.5.2.1 VRF instances
networks. These solutions are inherently unscalable
At the heart of MPLS-VPN functionality are
as the number of VCs provisioned grows
VPN Routing/Forwarding (VRF) instances:
exponentially as the number of sites in those VPNs
grows. In addition, each end customer requires a A VRF consists of:
new network to be engineered and managed. So the
ability to roll out these solutions and support these • An IP Routing table. This is directly
various VPNs is not scalable. analogous to the single central routing table
in previous versions of IOS. In fact, the
In contrast, MPLS-based VPNs are based on the central routing table can be considered to be
peer model, not the overlay paradigm. A VPN the VRF routing table for the provider
should be thought of as a set of inter-connected sites. backbone.
An MPLS-VPN consists of a set of sites that are • A derived forwarding table, based on the
inter-connected via an MPLS or label switching CEF (FIB) forwarding technology.
Provider core. At each site, there are one or more
• A set of interfaces which use the derived
CE routers, which attach (via a data link of some
forwarding table.
sort) to one or more PE routers. PE routers
dynamically communicate to one another utilizing • Rules which control route injection into and
IBGP. It is not required that the set of IPv4 out of the VRF routing table.
addresses used in any two VPNs be mutually • A set of routing protocols and routing peers
exclusive, as the PEs translate IPv4 addressees into which inject information into the VRF
IPv4VPN entities, utilizing BGP with extended routing table.
community attributes. • Router variables associated with the VRF
routing instance.
The set of addresses used in a VPN must be
exclusive of the set of addresses used in the P In this document “per-site forwarding table”
network. More specifically, it is required that every will be used inter-changeably with VRF
CE router be able to address the PE router(s) to table.
which it is directly attached. This means that the 1.5.2.1.1 IOS Configuration Command
addresses of the PE routers must not be duplicated for a VRF Instance
in any VPN.
(config)# ip vrf vrf_name
1.5 MPLS-VPN Configuration For example, “ip vrf CustomerA” will
initiate a VPN Routing table, and associated
1.5.1 Summary of MPLS-VPN CEF table, named CustomerA. It then enters
Configuration Steps vrf configuration sub-mode to configure
• Define VRF(s) variables associated with the VRF.
• Define RD for Each VRF Instance
57
Network Layer Reachability Information. NLRIs were
• Configure Import and Export VPN route-target lists introduced with BGP, consisting of a prefix and length, e.g.,
47/8 (netowrk 47.0.0.0/One Octet); 204.10.1/24, etc.
• Assign interfaces to VRFs 58
Extended BGP communities.
41
41
1.5.2.1.2 VRF Configuration Sub-mode 1.5.2.2.1.3 IPv4 NLRI Caveat
The router then changes the config-mode prompt to One must enter the “no bgp default ipv4-
VRF configuration sub-mode: activate” command59 under the definition of
the EBGP CE neighbor, while one utilizes
(config-vrf)#RD RD_Value the “neighbor <neighbor-ip-address>
This is where one enters the 8-byte Route activate” with that same CE neighbor, in the
Descriptor that will be pre-pended to the IPv4 routes VRF configuration context. A BGP session
by the PE, prior to re-distributing the route into the that will be used for the exchange of IPv4
MPLS-VPN backbone. NLRIs with that VRF (CE) neighbor must
not be activated for the exchange of IPv4
In that vrf sub-mode, one also enters the route-target NLRIs with any non-VRF neighbor (i.e., for
information for that VRF. Route targets are Internet connectivity). An alternative to the
explained in detail below. “no bgp default ipv4-activate” command is
the issuance of the “no neighbor <CE-
(config-vrf)#route-target import | export | both neighbor-ip-address> activate”
<community> configuration command under the
configuration of that CE peer60.
1.5.2.2 Router Address Family
1.5.2.2.2 Address Family Components
As mentioned earlier in this document, one of the
building blocks of MPLS-VPN are the Multi- An address family consists of a main family
protocol Extensions to BGP. Address Families were (also referred to as an Address Family
introduced in order to support the multi-protocol Identifier61, or AFI) and a modifier, or
extensions to BGP-4. SubAddress-Family-Identifier (SUBAFI).
42
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
63 65
That is, good-old BGP-4 that has been supported since Cisco IOS 10.0 Please refer to draft-ramachandra-bgp-ext-communities-
64
Autonomous System Number. 00.txt for details.
43
43
Thus, every route exported into IBGP from one of 1.5.2.4.3 Controlled Access to Servers
these VRFs will contain Cclosed. Every route As a third scenario, let us consider a case
received that contains C closed will be eligible for where a Service Provider wishes to control
import into these VRFs. the access to a set of content servers. For
1.5.2.4.2 Hub-and-Spokes VPN example, assume there are three sites A, B,
and C, and three servers S1, S2, and S3.
This is a more complex VPN. In this case we have Sites have subscribed to differing sets of
one central site, the “hub”, and a set of “spoke” sites. content. In particular, A and B are allowed
Spokes cannot communicate directly with each to receive data from S1; B and C from S2;
other. Instead, all traffic between “spoke” sites will and only C from S3. A, B, and C may or
be routed through the “hub.” The “hub” site can may not be allowed to communicate directly.
communicate directly to all “spokes.” Note: the
current code does not support this configuration To implement this scenario, one does the
optimally. The current code requires that routes following:
exported from a site be present in that site’s VRF,
otherwise MPLS forwarding information is not • Define six Route Target Extended
created correctly66. Therefore, with the current code, Community Attributes: C_S1Imp, C_S1Exp,
additional route-target communities must be defined C_S2Imp, C_S2Exp, C_S3Imp, C_S3Exp.
in order to cause the spokes routes to be imported • Routes from server S1 should be exported
into their own VRFs. This example documents the using community C_S1Exp. The VRF
optimal configuration, which will be supported in connected to server S1 should be
the future. configured to import routes with
community C_S1Imp.
To implement this scenario we do the following:
• Routes S2 export with community
• Define two VPN route-target communities: C_hub C_S2Exp. The S2 VRF imports routes with
and C_spoke . community C_S2Imp.
• Set the export list of each VRF connected to a • Similarly for the S3 server.
“spoke” site to C_spoke • Routes for site A should be exported with
• Set the export list of the “hub” site to C_hub community C_S1Imp.
• Set the import list of each VRF connected to a • Routes for site B should be exported with
“spoke” site to C_hub communities C_S1Imp and C_S2Imp.
• Set the import list of the “hub” site to C_spoke • Routes for site C should be exported with
communities C_S2Imp and C_S3Imp.
Thus, every route exported into IBGP from a
“spoke” site is imported only into the VRF for the • The VRF connected to site A should import
“hub” site. routes with community C_S1Exp.
• The VRF connected to site B should import
Conversely, routes exported from the “hub” site are routes with communities C_S1Exp and
imported into the VRFs for each “spoke” site. C_S2Exp.
This scenario can be generalized to multiple hub • The VRF connected to site C should import
sites. Through the definition of additional route- routes with communities C_S2Exp and
target communities it can be generalized to support C_S3Exp.
arbitrary overlap between the “spoke” sites.
1.5.3 MPLS-VPN
Configuration, Next
Steps:
So one first configures the name of the
66
In the the current implementation (IOS 12.0(5)T) , for a route to be VPN(s), or VRF(s) to handle. Next, one
imported into a VRF, the extended community attributes for the route must
have a non-null intersection with the import extended community defines the 64-bit Route Distinguisher value
attributes associated with the VRF, regardless of how that route is learned
(i.e., via IBGP from a PE or RR, EBGP from a CE, RIP from a CE, static for this VRF. One then sets up the route-
configuration on the PE). The "export" extended community attributes target lists, which is a community that will
associated with a VRF are added as attributes to routes learned from the
VRF CE (via EBGP, RIP or static configuration). be matched in order to cause a route to be
44
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
imported into this VRF. One also can define the Router ‘address-family’ sub-mode is used to
export route target community, which is the configure BGP across the provider
community that shall be added on all routes backbone for transport of addresses other
exported into the backbone BGP from this VRF. than IPv4. In order to configure routing
protocols, Cisco IOS has an address family
Next, while still in configuration mode, one enters command. One can use address family IPv4,
the command: in a context of a particular VRF. Once in the
ip vrf forwarding <vpn_name67> sub-mode for this address family, one can
use existing (and familiar) routing
This command will attach an interface to a VRF. commands, such as “neighbor”, “offset list”,
This will cause all packets forwarded as well as all “redistribute”, and the commands will apply
packets received on this interface to be transacted to the group context for this VRF.
using the forwarding table for this VRF, and all
routing protocols which use this interface to pick the Let us go through a few examples, to allow
appropriate context. the reader to better understand the
configuration steps required for MPLS-VPN
Continuing on, one enters the following functionality.
configuration commands:
address-family ipv4 vrf <name>
<router configuration commands>
neighbor <address> activate
Other routing-protocol-specific configuration
commands...
67
or vrf_name
45
45
! ip vrf CustomerA
1.5.4 Global-level versus sub-command
VRF Commands ! rd 100:1
It appears that the “ip vrf” global-level !
configuration commands are either going to be
removed from the parser in the shipping versions of ! Import into and export out of VRF/VPN
Cisco IOS, or that those commands will become the NLRIs that have the extended
hidden. The same functions can be enabled in the
vrf sub-command mode (i.e., one will issue the ! route-target community value 100:1
configuration command “ip vrf vrf-name” and then !
from that vrf mode, enter the appropriate
commands). ! route-target both 100:1
!
ip vrf CustomerA route-target both 100:1 ! a similar address on its CE end. If the
following command is
ip vrf CustomerB route-target both 100:2
! not issued, then all CE routers in a
ip vrf CustomerB route-target import 100:1 particular VPN must have
! ! unique addresses.
! Note that one can arrive at the same result of !
specifying the route-target
no ip vrf CustomerB global-connected-
! extended community string in the last five addresses
configuration commands,
!
! through entering vrf config sub-mode, as follows:
interface loopback0
!
46
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
47
47
! Activate sessions to peers within those VRFs Router(config-if)# ip vrf forwarding RED
! Router(config-if)# ip address 10.1.1.1
255.255.255.0
! Remember, we’re speaking good-old ebgp, using
IPv4 protocols, albeit
! in a VRF context, between the CE and PE, if that’s Router(config-if)# interface Hssi10/1/0
the routing protocol
Router(config-if)# ip vrf forwarding RED
! we choose.
Router(config-if)# ip unnumbered lo100
!
First the VRF is defined, in this case VPN
address-family ipv4 unicast vrf CustomerA “RED68.” Next the VPN “RED” is given an
RD. This is followed by the definition of the
neighbor 10.20.0.60 activate route target. This is a simple VPN. It has the
no auto-summary same RD and import/export (and hence the
keyword both) route target. Specifying the
redistribute static same value for RD and route targets is a
useful convention in very simple VPNs. The
exit-address-family no global-connected-addresses command
address-family ipv4 unicast vrf CustomerB controls whether or not the address between
the provider router and customer router,
neighbor 10.20.1.11 activate shows up in the vrf and global routing tables.
The “no” version of the command ensures
no auto-summary that the connected address does not get
redistribute static carried into the IBGP routing table abd get
re-distributed to other PE peers in that VPN.
exit-address-family This will make it possible to have non-
unique local CE addresses in the same VPN.
!
The next configuration command sets up
! Define a VRF static route. interfaces to be connected to this VRF. One
! Currently, static VRF routes must point out an can apply an IP address to the interface
interface, versus participating in VPN, or one can use
unnumbered IP addressing. If one chooses
! point to a next hop IP address. to support the latter, then it needs to be
unnumbered on an interface that is also
! attached to this VRF.
ip route vrf CustomerA 12.0.0.0 255.0.0.0 e5/0/1 Router# show ip vrf
Name Default RD Interfaces
48
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
!
! So switching to IPv4, but in a VRF context… Router# show ip route vrf RED
! ….
Router(config-router)# address-family ipv4 vrf RED Gateway of last resort is not set
49
49
10.0.0.0/24 is variably subnetted, 4 subnets, 2 Route Distinguisher: 102:1234 (RED)
masks
2.0.0.0 10.100.1.2 36/notag
B 10.2.2.0/24 [200/0] via 192.168.72.1, 2d00h
10.1.1.0/24 0.0.0.0 35/aggregate(RED)
C 10.1.1.0/24 is directly connected, Ethernet5/0/2
10.2.2.0/24 192.168.72.1 notag/27
C 10.100.1.0/24 is directly connected,
Loopback100 12.0.0.0 10.1.1.1 34/notag
C 10.100.1.2/32 is directly connected Hssi10/1/16 The command above lets the Service
Provider see the labeling information that
12.0.0.0/32 is subnetted, 1 subnets was learned or distributed. One can see a
connected route which is 10.1.1.0. Since this
R 12.0.0.1 [120/1] via 10.1.1.2, 00:00:05, is a connected route, it has a distributed
Ethernet5/0/2 aggregate label of 35.
The reader will note that NLRI 2/8 was obtained
from our CE neighbor on the HSSI interface (since 1.57 Third Configuration
the administrative distance [AD] for this route is 20. Example - Hub-and-
We are, of course, assuming default setting for AD.) Spokes69
One can also note the 10.2.2/24 NLRI obtained
from a PE peer, for a customer subnet at another site
(note the AD value of 200).
The reader will also note the RIP route, which was
also learned from a customer router.
Router#show ip bgp vpnv4 vrf RED
BGP table version is 11, local router ID is
10.13.0.13
Status codes: s suppressed, d damped, h history, *
valid,
1.5.7.1 Configuration from CE:
> best, i - internal A-3620-mpls
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight !
Path version 12.0
Route Distinguisher: 102:1234 (RED) !
*> 2.0.0.0 10.100.1.2 0 0 65535 ? hostname a-3620-mpls
*>i12.0.0.0 10.1.1.2 0 0? !
*>i10.2.2.0/24 192.168.72.1 0 100 0 ? interface Loopback0
*>i10.1.1.0/24 0.0.0.0 0 32768 ? ip address 222.2.3.1 255.255.255.255
*>i10.100.1.0/24 0.0.0.0 no ip directed-broadcast 0 32768 ?
!
Router# show ip bgp vpnv4 vrf RED tags interface Loopback1
Network Next Hop In tag/Out tag
69
From Robert Raszuk's NSA MPLS pages.
50
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
51
51
1.5.7.3 Configuration from: C-2611- hostname d-1720-mpls
mpls
!
!
interface Loopback0
version 12.0
ip address 222.2.2.1 255.255.255.255
!
no ip directed-broadcast
hostname c-2611-mpls
!
!
interface Loopback1
interface Loopback0
ip address 111.0.2.1 255.255.255.255
ip address 222.2.5.2 255.255.255.255
no ip directed-broadcast
no ip directed-broadcast
!
!
interface Loopback2
interface Ethernet0/0
ip address 111.0.2.2 255.255.255.255
ip address 172.16.69.36 255.255.255.224
no ip directed-broadcast
no ip directed-broadcast
!
!
interface Loopback3
interface Ethernet1/0
ip address 20.1.1.1 255.0.0.0
ip address 111.0.5.10 255.255.255.252
no ip directed-broadcast
no ip directed-broadcast
!
!
interface Serial0
router ospf 100
ip address 111.0.1.102 255.255.255.252
network 111.0.5.0 0.0.0.255 area 0
no ip directed-broadcast
network 222.2.5.2 0.0.0.0 area 0
!
!
interface FastEthernet0
ip classless
ip address 172.16.69.37 255.255.255.224
ip route 171.0.0.0 255.0.0.0 172.16.69.33
no ip directed-broadcast
!
!
end
ip classless
ip route 0.0.0.0 0.0.0.0 111.0.1.101
1.5.7.4 Configuration from: D-1720- ip route 171.0.0.0 255.0.0.0 172.16.69.33
mpls
!
!
end
version 12.0
!
52
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
53
53
no ip directed-broadcast no ip directed-broadcast
tag-switching ip tag-switching ip
! !
router ospf 222 interface FastEthernet2/1
network 111.0.1.0 0.0.0.255 area 0 ip address 111.0.1.9 255.255.255.252
network 222.2.1.5 0.0.0.0 area 0 no ip directed-broadcast
! tag-switching ip
ip classless !
ip route 171.0.0.0 255.0.0.0 172.16.69.33 router ospf 222
! network 111.0.1.0 0.0.0.255 area 0
access-list 110 deny ip any 224.0.0.0 network 222.2.1.4 0.0.0.0 area 0
15.255.255.255
!
!
ip classless
end
ip route 171.0.0.0 255.0.0.0 172.16.69.33
1.5.7.7 Configuration from: I-7204- !
mpls
end
!
version 12.0 1.5.7.8 Configuration from: J-
7204-mpls
!
!
hostname i-7204-mpls
version 12.0
!
!
ip cef
hostname j-7204-mpls
!
!
interface Loopback0
ip cef
ip address 222.2.1.4 255.255.255.255
!
no ip directed-broadcast
ip vrf RedH1
!
rd 111:1
interface Ethernet1/0
route-target export 100:1
ip address 172.16.69.42 255.255.255.224
route-target import 101:1
no ip directed-broadcast
route-target import 102:1
!
route-target import 100:1
interface FastEthernet2/0
!
ip address 111.0.1.6 255.255.255.252
54
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
interface Loopback0 !
ip address 222.2.1.2 255.255.255.255 router bgp 222
no ip directed-broadcast no synchronization
! no bgp default ipv4-unicast
interface Ethernet1/0 neighbor 222.2.1.1 remote-as 222
ip address 172.16.69.43 255.255.255.224 neighbor 222.2.1.1 update-source
Loopback0
no ip directed-broadcast
!
!
address-family ipv4 vrf RedH1
interface Ethernet1/1
redistribute connected
ip address 111.0.1.18 255.255.255.252
redistribute static
no ip directed-broadcast
no auto-summary
tag-switching ip
no synchronization
!
exit-address-family
interface Ethernet1/3
!
ip vrf forwarding RedH1
address-family vpnv4
ip address 111.0.1.117 255.255.255.252
neighbor 222.2.1.1 activate
no ip directed-broadcast
neighbor 222.2.1.1 send-community
! extended
interface FastEthernet2/0 exit-address-family
ip address 111.0.1.14 255.255.255.252 !
no ip directed-broadcast ip classless
tag-switching ip ip route 171.0.0.0 255.0.0.0 172.16.69.33
! ip route vrf RedH1 111.0.5.1
interface Serial4/0 255.255.255.255 Ethernet1/3 111.0.1.118
55
55
1.5.7.9 Configuration from: K-7204- !
mpls
interface Ethernet1/3
!
ip vrf forwarding RedS2
version 12.0
ip address 111.0.1.105 255.255.255.252
!
no ip directed-broadcast
hostname k-7204-mpls
!
!
interface FastEthernet2/0
ip cef
ip address 111.0.1.5 255.255.255.252
!
no ip directed-broadcast
ip vrf RedS1
tag-switching ip
rd 111:2
!
route-target export 101:1
interface Serial4/0
route-target import 100:1
ip vrf forwarding RedS1
route-target import 101:1
ip address 111.0.1.101 255.255.255.252
!
no ip directed-broadcast
ip vrf RedS2
clockrate 56000
rd 111:3
!
route-target export 102:1
router ospf 222
route-target import 100:1
redistribute connected
route-target import 102:1
network 111.0.1.0 0.0.0.255 area 0
!
network 222.2.1.1 0.0.0.0 area 0
interface Loopback0
default-metric 25
ip address 222.2.1.1 255.255.255.255
!
no ip directed-broadcast
router bgp 222
!
no synchronization
interface Ethernet1/0
no bgp default ipv4-unicast
ip address 172.16.69.44 255.255.255.224
neighbor 222.2.1.2 remote-as 222
no ip directed-broadcast
neighbor 222.2.1.2 update-source
! Loopback0
interface Ethernet1/1 !
ip address 111.0.1.1 255.255.255.252 address-family ipv4 vrf RedS2
no ip directed-broadcast redistribute connected
tag-switching ip redistribute static
56
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
end ip classless
ip route 171.0.0.0 255.0.0.0 172.16.69.33
!
57
57
end 1.5.9 PPP + MPLS-VPN
Configurations (Cisco
1.5.8 Fourth Configuration Example IOS 12.0(5)T)
– Default Routing
1.5.9.1 Diagram of PPP + MPLS-
Here, the reader will encounter solely the set of VPN European Testing
routing commands necessary to provide default
routing to a particular VPN, “VPN_Internet.”
exit-address-family !
! version 12.0
58
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
ip vrf RED !
rd 100:1 interface Serial1/1
route-target export 100:1 ip vrf forwarding GREEN
route-target import 100:1 ip address 199.10.52.2 255.255.255.0
! no ip directed-broadcast
ip vrf GREEN no fair-queue
rd 100:2 clockrate 64000
route-target export 100:2 !
route-target import 100:2 interface Ethernet3/0
! ip address 172.17.238.77 255.255.255.252
ip cef no ip directed-broadcast
! !
vpdn enable interface Ethernet3/1
! no ip address
vpdn-group 1 no ip directed-broadcast
accept dialin l2f virtual-template 1 remote nas-cisco !
local name pe1 interface Ethernet3/2
! no ip address
vpdn-group 2 no ip directed-broadcast
accept dialin l2f virtual-template 2 remote nas- !
albacom
interface ATM6/0
local name pe1
no ip address
!
no ip directed-broadcast
interface Loopback0
no atm ilmi-keepalive
ip address 2.2.2.2 255.255.255.255
!
no ip directed-broadcast
interface ATM6/0.1 tag-switching
!
ip address 199.10.21.2 255.255.255.0
interface Serial1/0
no ip directed-broadcast
ip vrf forwarding RED
tag-switching ip
ip address 199.10.72.2 255.255.255.0
!
no ip directed-broadcast
interface Virtual-Template1
no fair-queue
ip vrf forwarding GREEN
clockrate 64000
59
59
ip address 10.0.0.1 255.0.0.0 exit-address-family
no ip directed-broadcast !
peer default ip address pool CISCO address-family ipv4 vrf RED
ppp authentication chap redistribute connected
! neighbor 199.10.72.7 remote-as 777
interface Virtual-Template2 neighbor 199.10.72.7 activate
ip vrf forwarding RED no auto-summary
ip address 10.0.0.1 255.0.0.0 no synchronization
no ip directed-broadcast no bgp default ipv4-unicast
ip mroute-cache network 10.0.0.0
peer default ip address pool CISCO exit-address-family
ppp authentication chap !
! address-family vpnv4
router ospf 100 neighbor 3.3.3.3 activate
network 2.2.2.2 0.0.0.0 area 0 neighbor 3.3.3.3 next-hop-self
network 199.10.21.0 0.0.0.255 area 0 neighbor 3.3.3.3 send-community extended
! no auto-summary
router bgp 100 no bgp default ipv4-unicast
no synchronization exit-address-family
no bgp default ipv4-unicast !
neighbor 3.3.3.3 remote-as 100 ip local pool CISCO 10.0.0.10 10.0.0.30
neighbor 3.3.3.3 update-source Loopback0 no ip classless
no auto-summary ip route 172.17.238.0 255.255.255.0
172.17.238.78
!
ip route 172.17.238.80 255.255.255.240
address-family ipv4 vrf GREEN 172.17.238.78
redistribute connected route-map conn2bgp !
neighbor 199.10.52.5 remote-as 555 access-list 1 permit 10.0.0.0 0.255.255.255
neighbor 199.10.52.5 activate access-list 1 permit 4.0.0.0 0.255.255.255
no auto-summary access-list 2 deny 199.10.52.0 0.0.0.255
no synchronization access-list 2 permit any
no bgp default ipv4-unicast access-list 20 permit 199.10.52.0 0.0.0.255
network 10.0.0.0 route-map conn2bgp permit 10
60
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
61
61
N1 - OSPF NSSA external type 1, N2 - OSPF milab-2501b#sh runn
NSSA external type 2
Building configuration...
E1 - OSPF external type 1, E2 - OSPF external
type 2, E - EGP Current configuration:
! no ip mroute-cache
! interface Serial0
62
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
milab-2501b#exit no auto-summary
63
63
atm router pnni
4.0.0.0/32 is subnetted, 1 subnets no aesa embedded-number left-justified
B 4.4.4.4 [20/0] via 199.10.52.2, 4d00h node 1 level 56 lowest
5.0.0.0/32 is subnetted, 1 subnets redistribute atm-static
C 5.5.5.5 is directly connected, Loopback0 !
C 199.10.52.0/24 is directly connected, Serial0 interface Loopback0
ip address 1.1.1.1 255.255.255.255
milab-2501a#exit no ip directed-broadcast
!
[Connection to 5.5.5.5 closed by foreign host] interface ATM0/0/0
no ip address
milab-7206a#1.1.1.1 no ip directed-broadcast
Trying 1.1.1.1 ... Open !
interface ATM0/0/1
milab-ls1010#sh run no ip address
Building configuration... no ip directed-broadcast
!
Current configuration: interface ATM0/0/2
! ip address 199.10.21.1 255.255.255.0
version 12.0 no ip directed-broadcast
! no atm auto-configuration
hostname milab-ls1010 atm uni version 3.1
! atm maxvci-bits 10
ip subnet-zero tag-switching ip
ip host-routing !
! interface ATM0/0/3
atm lecs-address-default ip address 199.10.31.1 255.255.255.0
47.0091.8100.0000.0010.11be.b401.0010.0db0.203
3.00 1 no ip directed-broadcast
64
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
no ip directed-broadcast !
! interface ATM3/1/1
interface ATM1/0/0 no ip address
no ip address no ip directed-broadcast
no ip directed-broadcast !
! interface ATM3/1/2
interface ATM2/0/0 no ip address
ip address 172.17.238.22 255.255.255.240 no ip directed-broadcast
no ip directed-broadcast !
atm maxvp-number 0 interface ATM3/1/3
lane config auto-config-atm-address no ip address
lane client ethernet elan1 no ip directed-broadcast
! !
interface ATM3/0/0 router ospf 100
no ip address network 1.1.1.1 0.0.0.0 area 0
no ip directed-broadcast network 199.10.0.0 0.0.255.255 area 0
! !
interface ATM3/0/1 ip default-gateway 172.17.238.17
no ip address no ip classless
no ip directed-broadcast !
! snmp-server community public RO
interface ATM3/0/2 snmp-server community private RW
no ip address !
no ip directed-broadcast end
!
interface ATM3/0/3 milab-ls1010#sh ip rou
no ip address Codes: C - connected, S - static, I - IGRP, R
- RIP, M - mobile, B - BGP
no ip directed-broadcast
D - EIGRP, EX - EIGRP external, O -
! OSPF, IA - OSPF inter area
interface ATM3/1/0 N1 - OSPF NSSA external type 1, N2 -
no ip address OSPF NSSA external type 2
65
65
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - Building configuration...
candidate default
U - per-user static route, o - ODR
Current configuration:
T - traffic engineered route
!
version 12.0
Gateway of last resort is not set
!
hostname milab-7206b
1.0.0.0/32 is subnetted, 1 subnets
!
C 1.1.1.1 is directly connected, Loopback0
ip subnet-zero
2.0.0.0/32 is subnetted, 1 subnets
ip cef
O 2.2.2.2 [110/2] via 199.10.21.2, 4d00h,
ATM0/0/2 no ip domain-lookup
O 3.3.3.3 [110/2] via 199.10.31.3, 4d00h, ip vrf RED route-target export 100:1
ATM0/0/3 ip vrf RED route-target import 100:1
199.10.31.0/24 is variably subnetted, 2 subnets, 2 !
masks
ip vrf GREEN rd 100:2
S 199.10.31.3/32 is directly connected, ATM0/0/3
ip vrf GREEN route-target export 100:2
C 199.10.31.0/24 is directly connected, ATM0/0/3
ip vrf GREEN route-target import 100:2
172.17.0.0/28 is subnetted, 1 subnets
!
C 172.17.238.16 is directly connected, ATM2/0/0
!
199.10.21.0/24 is variably subnetted, 2 subnets, 2
masks interface Loopback0
milab-7206a# !
66
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
67
67
route-map rip2bgp permit 10 D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
match ip address 10
N1 - OSPF NSSA external type 1, N2 -
! OSPF NSSA external type 2
end E1 - OSPF external type 1, E2 - OSPF
external type 2, E - EGP
68
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
milab-7206b# no fair-queue
69
69
encapsulation ppp milab-2503#exit
dialer map ip 10.0.0.0 1231243 [Connection to 6.6.6.6 closed by foreign
host]
dialer-group 1
milab-7206b#telnet 6.6.6.6 /vrf RED
ppp authentication chap
Trying 6.6.6.6 ... Open
ppp chap hostname milab-2503
Password:
ppp chap password 7 051B07002D43
[Connection to 6.6.6.6 closed by foreign
ppp multilink host]
! milab-7206b#
ip classless milab-7206b#telnet 4.4.4.4 /vrf GREEN
ip route 0.0.0.0 0.0.0.0 Serial0 Trying 4.4.4.4 ... Open
ip route 10.0.0.0 255.0.0.0 BRI0 milab-2520#sh run
! Building configuration...
dialer-list 1 protocol ip permit Current configuration:
! !
end version 11.3
milab-2503#sh ip rou !
Codes: C - connected, S - static, I - IGRP, R - RIP, hostname milab-2520
M - mobile, B - BGP
!
D - EIGRP, EX - EIGRP external, O - OSPF, IA
- OSPF inter area username milab-2503 password 0 paolo
N1 - OSPF NSSA external type 1, N2 - OSPF ip subnet-zero
NSSA external type 2
multilink virtual-template 1
E1 - OSPF external type 1, E2 - OSPF external
type 2, E - EGP isdn switch-type basic-net3
70
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
! Building configuration...
no ip address !
71
71
vpdn search-order domain interface Serial0:15
vpdn-group 1 no ip address
request dialin l2f ip 172.17.238.77 domain dialer rotary-group 1
cisco.com
dialer-group 1
local name nas-cisco
isdn switch-type primary-net5
!
isdn incoming-voice modem
vpdn-group 2
!
request dialin l2f ip 172.17.238.77 domain
albacom.com interface Serial2:1
! !
! ip unnumbered Loopback0
! !
! !
! network 172.17.0.0
interface Ethernet0 !
! ip classless
72
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
72
It appears that Cisco's version of Constraint-based routing will be
referred to as MPLS Traffic Engineering versus the older name: RRR.
The reader needs to keep in mind that, technically speaking, MPLS TE and
RRR are not the same thing. MPLS TE is an application of RRR.
†
Thanks to Robert Raszuk for pointing to George Swallow's excellent
demo scenarios with those MPLS TE configurations.
73
The syntax change will occur in Cisco IOS 12.0(6)T.
74 75
At both the global and interface subcommand levels. As of Cisco IOS 12.0(6)T
73
73
1.5.10.3 MPLS TE Lab Configuration ip rsvp bandwidth 1000
Scenarios
mpls traffic-eng administrative-weight 10
NOTE: MPLS Traffic Engineering is a new
paradigm in inter-network traffic engineering. The !
reader is cautioned to verify command syntax as
int s1/2
well as default settings, as future versions of Cisco
IOS software are introduced. It may be possible for mpls traffic-eng tunnels
particular commands and command parameters to
change default values in the future. ip rsvp bandwidth 1000
74
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
ip unnum lo0
tunnel destination 17.17.17.17 3640-2#sh run
ip explicit-path identifier 2 !
next-address 136.0.0.2 !
ip unnum lo0 !
75
75
tunnel destination 17.17.17.17 1.5.11 Performance and
Management
tunnel mode mpls traffic-eng Characteristics
tunnel mpls traffic-eng autoroute announce
1.5.11.1 Scalability of MPLS-
tunnel mpls traffic-eng bandwidth 100 VPNs
tunnel mpls traffic-eng priority 1 1 In the design of MPLS-VPNs, there are a
number of different scalability variables that
tunnel mpls traffic-eng path-option 1 explicit id 2 the reader will hopefully be mindful of, until
more scalability information becomes
tunnel mpls traffic-eng path-option 2 dynamic
available from Engineering and real-world
lockdown
networks. Cisco does not currently have any
specific numbers to point the SP field to, so
far as design limitations of MPLS-VPN
! Create an explicit path entities are concerned.
ip explicit-path identifier 2 The reader will need to keep in mind that
current limitations may be eased, with the
next-address 131.0.0.2
introduction of a few MPLS-VPN features
next-address 135.0.0.2 that are on Development Engineering’s plate.
76
Once Outbound Route Filtering and/or inbound route target
filtering is available, this number is expected to rise.
76
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
4. The number of routing peers. This is a function of: 1.5.12 MPLS-VPN Must-knows
• The number of PE IBGP sessions the router is MPLS-VPN, like any new technology or
supporting paradigm, takes getting used to, before one
• The number of CE sessions becomes familiar with the appropriate
• The routing protocol used to the CE monitoring and debugging commands, as
The number depends on the Cisco IOS release, and well as overall how it functions.
the routing protocol. This is not really a VPN- • It is important to keep in mind that the
specific issue. The number is expected to be similar global routing table77 and the per-VRF
to the non-VPN case. routing table are independent entities. It is
5. The total forwarding bandwidth of the router in important to understand that the familiar
question, in terms of the packets-per-second (pps) Cisco IOS commands apply to IP routing in
and Mbps rates. a global routing table context. For example,
“show ip route,” and other EXEC-level
6. The forwarding features (e.g., Traffic Shaping or
show commands; as well as utilities such as
WFQ) that are enabled on the PE-CE links, which
ping, traceroute, and telnet; all invoke the
will most likely reduce the forwarding bandwidth
services of the Cisco IOS routines that deal
of the router. Again, this is not a VPN specific issue.
with the global IP routing table.
As the field develops more experience with MPLS-
• It is also important to become familiar with
VPN deployments, and as Engineering conducts
the fact that a local VRF interface on a PE
more performance testing, one will be able to
is not considered a directly-connected
provide more accurate scalability information.
interface in a traditional sense. When one
configures, for example, a Fast Ethernet
1.5.11.2 MPLS Network Management interface on a PE to participate in a
NOTE: The reader is cautioned to check with particular VRF/VPN, the interface no
Product Marketing and other resources for up-to- longer shows up as a directly-connected
date information on what will be available. interface when one issues a “show ip
route.” One needs to issue a “show ip route
1.5.11.2.1 MPLS MIBs vrf vrf-name” command in order to see that
The MPLS MIB undertaking involves the interface in a routing table.
introduction of the following potential MIBs: • One will also notice that it possible to issue
a standard “telnet” command from a CE
• MPLS-LDP router to connect to PE router. However,
• MPLS TE from that PE router, one needs to issue a
• VSI-controller “telnet CERouterName /vrf RF-NAME”
• Cisco MPLS command in order to connect from the PE
to CE router. Similarly, one needs to utilize
• Other
“traceroute” and “ping” commands in a
The goal of the development engineering is for VRF context.
reaching EFT status for the MPLS MIBs in CQ3’99.
• It will also be important to realize that the
1.5.11.2.2 Ping and RTR MIBs MPLS-VPN backbone relies on the
appropriate IGP that is configured for
In certain VPN environments, a Service Provider is
MPLS, e.g., EIGRP or OSPF. When one
interested in managing PE-CE links from the PEs.
issues a “show ip route” on a PE routers,
They would like to use the Ping MIB in order to
one should see the IGP-derived routes
perform management. However, the Ping and RTR
connecting the PEs together. Contrast that
MIBs are not VPN aware. Eureka, discussed
with the issuance of the “show ip route vrf
elsewhere in this document, does the correlation to
VRF-NAME” which will display IBGP
the VPN service.
77
I find this term confusing and mis-leading, but nevertheless,
one will encounter this term on different e-mail aliases’
exchanges and some engineering documentation.
77
77
routes connecting C sites in a particular VPN. It doesn’t appear that this stipulation will
• One can get around the lack of support for inter- change in the near future. As always, one
Service Provider MPLS-VPN connectivity, through needs to check with the Product Marketing
the utilization of GRE tunnels between two PE or the “tag-vpn” e-mail alias.
routers. So in a typical RBOC/ILEC environment
In this environment, there are two possible
(which is different than European and other PTTs),
workarounds:
an ILEC’s PE needs to have a GRE tunnel
connecting it to another PE from that same ILEC, 1. One is to use unique RDs for each Spoke
across an IXC network. Whether that IXC’s site, while
network supports MPLS-VPN on its own or not, 2. another would be to get H to perform
doesn’t really matter. summarization (dynamically, or statically).
• In Hub-and-Spokes MPLS-VPN environments, the Summarization is possible, but may be
Spoke routers have to have unique Route difficult when deploying Hub-and-Spokes
Distinguishers. In order to use the Hub site as a on an existing network.
transit point for connectivity in such an
environment, the Spoke sites export their routes to If none of the Spokes have the need for
the Hub. Meanwhile, the Hub router (through a independent Public Internet connections,
second interface) will re-export Spoke routes to the then the easiest workaround is to get the
other Spokes. Hub PE router to advertise 0/0 and not any
It appears at first, that the easiest way to handle the other routes. If that’s not possible, then
Hub-and-Spokes topology is to assign the same RD some summarization of the known
to all spoke VRFs, since the Spoke VRFs do not addressing space of the sites is the next best
exchange routes with one another, and therefore, alternative. If all else fails, dynamic
there is no need to make IP VPN routes unique. summarization at the Hub may be
Such routes are already unique by the logic of the appropriate.
topology.
These options are appropriate if Spoke IP
However, due to the current MPLS-VPN addresses do not have to be changed.
implementation, one must use a different RD for
The main aspect of this (I think) is that it’s
each spoke VRF. The BGP selection process applies
now clear to anyone that the RD doesn’t
to all the routes that have to be imported into the
play a role on the route distribution between
same VRF plus all routes that have the same RD of
PEs (route import/export are based on RTs,
such a VRF. Once the selection process is done,
versus RDs). However, due to the current
only the best routes are imported. In this case this
MPLS-VPN implementation, it just so
can result in a best route which is not imported. To
happens that the RD may play a role on the
illustrate, suppose one has a Hub-and-Spokes
route selection and influence the import
environment whereby there are CE routers H,
process.
S(poke)1, and S2. Suppose further that S1
advertises a route to 192.1.1.0/24, via its PE router, So, to summarize, customers must have
to sites H and S2. Using RTs, H’s PE will import different RDs per spoke-VRF. Cisco can
this route to this VPN. Now suppose H’s PE has provide workarounds to those Hub-and-
been configured to re-advertise this back up. Spokes environments, with summarization
Through its PE router, S2 receives the route to and default routing so long as those
192.1.1.0/24 from H. If the RDs are unique, then S2 workarounds are acceptable to the Service
now has two routes to 192.1.1.0/24 in the VPNv4 Provider’s customer.
BGP table. The two routes will not be compared. If
the two Spoke sites are utilizing the same RD, then • Must Have MPLS Connectivity amongst PE
the two afore-mentioned routes to 192.1.1.0/24 will routers (dynamic and/or TE tunnel). MPLS
be compared. This may cause the version from S1 to must be enabled across the backbone,
be preferred over the one from H, but the version utilizing either dynamic label switching or a
from S1 is not a candidate for inclusion in S2’s VRF, traffic- engineered tunnel between the
and so S2 gets no route to 192.1.1.0/24 at all. Provider Edge routers.
78
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
• Must have a /32 route for all PEs in IGP. This is 1.6 MPLS-VPN
because MPLS-VPN, as stated earlier, uses two- (Uncommitted78) Future
level labeling and so one must have a label that will Features
directly reach the router that assigned the second-
NOTE: This section discusses possible
level label.
future features for MPLS-VPN. This section
• Changing VRF forwarding on an interface removes was included to help answer some of the
the IP address. This surprises people is that when questions that have arisen in VPN
one changes the VRF forwarding on an interface, discussions. The reader should not discuss
the IP address associated with that interface is these features with anyone unless
removed and has to be configured. This is done on expectations have been set properly. None,
purpose! If a Service Provider is moving the some, or all of the features may be
existing address from one customer to another, it incorporated in the future.
doesn’t make sense to preserve the address on the
one that has just had VRF forwarding disabled.
1.6.1 PPP/VPN - Today79
Also by removing the address on the interface, it
makes sure that the routing protocols configured on
that interface properly adjust their routing
information.
• Must have CEF enabled on PE router.
• To ping (traceroute) between CE routers, must
either use extended ping, or ‘redistribute
connected’ into VPNv4 IBGP on PE.
• Traceroute between two CEs will display provider
nodes, unless ‘no tag ip propagate-ttl’ on PEs.
• Support for overlapping private ASNs. In today’s
implementation of MPLS-VPN, the BGP code will Figure 17 - PPP + MPLS/VPNs in Cisco iOS 12.OT
not strip the private ASN if it is equal to the
neighboring ASN. This precludes the use of
Currently, there are a few stipulations to
dummy ASNs (same private ASN at different sites).
configuring PPP + MPLS-VPN
However, so long as all ASNs of a VPN are unique,
one is okay with this configuration. One needs to • One has to define a virtual template per
keep in mind that the AS_PATH Attribute is VPDN in the Access Server80.
essential for detecting routing loops in BGP. If one • One can define only a single AAA server
strips private ASNs (and if the ASN happens to be per access server. Proxy is needed to be
the neighboring one), then the site is not able to able to redirect the AAA requests to
detect IP routing loops. That task will fall on the customers servers.
shoulders of the PE router. One needs to be even
• All the AAA customer servers must be in
more careful in environments that happen to also
the global routing table thus they must have
have backdoor connections amongst some customer
a unique IP address (NAT is not an
routers. The overlapping ASN scenario presents
alternative).
itself in environments where independent customers
have built networks with the same private ASNs. • One is also supposed to number the virtual
These customers then request intranet connectivity templates in the Access MPLS VPN
from a Service Provider utilzing MPLS-VPN. configuration. Previously one was not
These independent customers connect to the PE supposed to number virtual templates - they
routers via eBGP, but they would like not to re- were always unnumbered to some other
number their ASN. LAN or Loopback interface81.
78
As of the writing of this document (middle of June 1999).
79
In Cisco IOS 12.0(5)T and higher.
80
In 12.0T, one can have up to 25 Virtual Templates per dial-in
server. That is not a limitation in a wholesale dial environment.
81
This was because the Virtual Access interfaces that are
cloned from the Virtual Template took the IP address setting
79
79
1.6.2 PPP/VPN Integration – Multi-
1.6.3 PPP MPLS-VPN
FIB VPNs
Integration – Scaling
PPP
80
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
• Ingress PE router controls that the requested Further out, in the second half of 2000, there
multicast group is in the VPN is a possibility of having a DSL platform
• Ingress PE adds the Label and VRF into the PIM perform full-fledged MPLS-VPN
JOIN message functionality.
• P routers forward the PIM message
2 Cisco Service Management for
• PIM JOIN message are forwarded only to sites MPLS-VPN (aka
belonging to the same VPN “Eureka”)
VPN Solutions Center: MPLS Solutions 1.0,
(code named “Eureka” – and will be
referred to as Eureka in this document)83, is
a modular suite of network and service
management applications, that defines and
monitors VPN services for Service
Providers. It is that part of the operations
management that addresses flow-through
provisioning, service auditing, and SLA
measurement of IP MPLS-VPN
environments.
Figure 22 - Proposed MPLS/Multicast Support, the Next Steps
Eureka will also integrate with Cisco IP
• Egress PE router will remove the Label and VRF Manager (CIPM) for element management.
information in PIM JOIN message Other features include, CoS provisioning,
• Multicast destination address (224.X.X.X) is VPN-aware Netflow accounting, and
looked up in the VPN Multicast FIB Service Level Agreement (SLA) monitoring.
Eureka provides a complete set of
• A Multicast Label is imposed in front of the Packet provisioning, accounting and SLA
• Packet are transacted on the VPN multicast tree monitoring API’s.
81
81
• 512 MB of RAM and at least 4GB of Disk 2.2.1 Service Provisioning
• Oracle 7.3.4 Enterprise version database (CIPM 1.0
requirement)
82
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
83
83
These configurations can then be identified to respective routers. A process within Eureka
Eureka as a CE or PE router’s. The routers’s is able to convert the IOS configurations
definitons are now stored within the Eureka into object models for modeling and
repository as network objects. Eureka also allows analysis. This eases Eureka’s task which
the administrator to define address pools which may now compares two object models – the
be used to provision the PE to CE links, when a service object and the IOS configuration
service request comes in. models, to evaluate the additional
configuration needed to implement the
2.2.5 Service Requests service request. This additional
configuration, the configlet is then
Service Operators take all service request generated.
information from the customer. The product assists
the operator in making entries since it already has
2.2.7 Download
been initialized with information on the customers,
like the CE and PE routers that will be affected, the Eureka has a robust scheduler that allows
VPN etc. for scheduling downloads to the routers.
This allows batch downloads of service
GUI wizards step the operator through to accept the requests that can be scheduled for a non-
customer name, the CE router (if this definition peak period to be downloaded onto the
exists within Eureka ), as well as the VPN name. routers. Eureka uses IP Manager to
Eureka tries to simplify the task of provisioning the download84 the configurations to routers. If
PE and the CE by automating some of the tasks any problems occur in the actual download,
required in setting up an MPLS VPN. It does so by IP Manager will report the problem back to
using a CERC. Since MPLS VPNs are restrained Eureka, which can then show a report of all
routing communities rather than point-to-point service requests that were flagged because
connections, this concept allows Eureka to define of download problems.
the topology of this restrained community with
respect to the CE that is joining the VPN. A group
2.2.8 Auditing
of CERCs forms a VPN. Eureka allows the operator
to define whether the CE router, that is now joining Once the configurations have been
the CERC (part of the VPN), is joining it as a hub or downloaded, Eureka performs audit checks,
a spoke entity. Based on this information, Eureka is which will verify the proper state of a
able to generate values for the Route Targets (RTs) service request through the audit reports it
that are required in the Cisco IOS MPLS-VPN generates. The various states of a service
configuration. request can be as depicted in Fig 32. A
service is in the Pending state immediately
The service provisioning wizards will also allow after it has been created. The next step is to
definition of CoS requirements for the service. deploy the configuration that implements the
Eureka will support in its initial releas, the abillity to service request. If this has been achieved,
traffic shape the link between the CE and the PE in the service state is Deployed. Routes will
both directions and police at the PE into the core of appear in the appropriate VRF table and
the provider. connectivity between the different VPN
sites will exist. The service is now in the
Functional state. If a problem occurs while
trying to download the service request
2.2.6 Generating configlets
configlet, the state of the service request will
Eureka generates configlets using the service object continue to be Pending instead of Deployed.
model. Configlets can be defined as the delta Additionally, based on a series of tests done
configuration needed to provision the service by the auditing components, a configlet that
request on top of the existing router configuration. was Functional that happens to not be
This obviously implies some knowledge of the pre- exhibiting the connectivity it should, will
existing router configuration by Eureka. For this,
Eureka schedules collections from the network and
obtains the required configuration files from the 84
Via TFTP.
84
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
thereby cause the audit sub-system to transition the to provide the relevant router performance
service into a Broken state. data to third-party vendors such as Concord
or Portal, so that Service Providers can
obtain sophisticated reports on SLA and
performance, which are important in a
billing system. In addition, the system
performs the collection of other data from
the network elements that are of use in the
analysis of the Service-to-Network
correlation. Down-the-road, other products
such as Infocenter may be used in
conjunction with Eureka to perform fault
correlation between the service and the
affected network elements.
Service auditing has the ability to perform a
Figure 26-Servicve Auditing routing audit, by verifying reachability
amongst VPN sites. That is, it checks the
appropriate VRF.
Audit Reports can be viewed on a web browser.
Auditing is achieved by first performing collections
2.2.9 Reports Generated with
from the network. Information on network
Eureka 1.085
configuration and route tables is collected. By
comparing the object model of the service requests
2.2.9.1 Maximum Round Trip
against the object model of the network
Time (RTT)
configurations, Eureka can verify the state of the
each service. If the configuration deltas that (a) Per VPN
implement the service exist in their correct form in (b) Per source router
the configuration collected, then the service has
(c) Per customer
been deployed properly. If the VRF tables reflect
connectivity between the various VPN sites then the (d) Per SLA ID
service request is functional. These reports can be (e) Per class of Service
scheduled as tasks to run at different times and be (f) In contract and out of contract
organized by customers VPNs. Operators can take
corrective action, based on these reports, in the 2.2.9.2 Percentage Connectivity
event that a service request has a problem. of Devices
Once the service has been provisioned, there is a (g) Per VPN
need to audit the services on an on-going basis – to (h) Per source router
keep state information on these services, and be able (i) Per customer
to provide Operations Management reports. Eureka (j) Per SLA ID
1.0 will perform the collection of a variety of data
(k) Per class of Service
from the network elements. This information is
analyzed against the services that are to be (l) In contract and out of contract
implemented. Each service state is then established
2.2.9.3 Delay Threshold
with this audit.
Connectivity of Devices
Collection of data from the network is in the form of (m) Per VPN
detailed Netflow information (which can yield
(n) Per source router
information in the form of the Internet Data Records
– equivalent to the Call Data Records [CDR] in the (o) Per customer
Old Telephony world). Performance data such as
Round Trip Response Time (RTR) is also collected 85
The author cautions the reader to not assume that all of these
features will be available when Eureka 1.0 ships. Please check
from the network elements. This will allow Eureka proper documentation, e-mail aliases, and/or with Product
Marketing for more up-to-date information.
85
85
(p) Per SLA ID “tag switching” and then worked with the
(q) Per class of Service standards bodies and the networking
community to develop an open standard
(r) In contract and out of contract
based on tag switching.
2.2.9.4 Netflow Statistics and
Accounting 3.1.1 MPLS Availability
2.2.9.4.1 Overview of the Netflow Collector • MPLS is identical to Tag Switching in all
Netflow Collector is the software that gathers flow but the finest details. Specifically, Cisco’s
statistics from Cisco IOS devices. It is used for data current MPLS implementation uses the
collection, filtering and aggregation. The Netflow Cisco Tag Distribution Protocol (TDP)
data is stored on the Netflow workstations in flat instead of the Label Distribution Protocol
files. (LDP).
• LDP is based on TDP, and is identical to it
Netflow Collector version 3.0 needs to be installed in purpose and general operation. LDP and
on a separate workstation and the workstation is TDP differ only in message formats, and in
connected directly to the PE device. a few of the protocol procedures. TDP is
2.2.9.4.2 Netflow Reports within Eureka
openly published. Cisco is fully committed
to LDP. An LDP implementation is being
Netflow data will be periodically procured from the developed now, for field trials before the
Netflow Collector workstation using Eureka. The end of 1999.
data will be analyzed to create the following reports:
• Once LDP ships, a Cisco router will be able
(a) Accounting Summary Report to run LDP on some links while running
(b) TOS Summary Report TDP on others. This will provide full
interoperability with standards while also
(c) PE to PE
providing backwards compatibility with
(i) Traffic Between PE and Connected CEs prior releases of Cisco software. Since TDP
(ii) Traffic to CE by endpoints (ie CE to CE) and LDP differ so little, a fully functional
(d) PE to Customer MPLS network can readily operate with
TDP running on some links, and LDP
(i) By Application
running on others.
(ii) By Site
• There is a smooth transition between TDP
(iii) By CE to LDP in a network. TDP or LDP runs
(e) Customer independently on each link, so links may be
(i) Site to site changed from TDP to LDP one by one.
(ii) By application • At the May 1999 InterOp show in Las
(iii) By TOS Vegas, Cisco demonstrated MPLS inter-
operability, utilizing LDP.
2.2.10 Eureka 1.0 Status
3.1.2 To CR-LDP or not to CR-
The product is undergoing Early Field Trials (EFT). LDP
The First Customer Shipment (FCS) is expected in
September 1999. Cisco is at the forefront of developing a
standard for dynamically developing
constraint-based traffic paths. Cisco put
3 Appendices - Standards;
forth Routing for Resource Reservation
References; and Monitoring
(RRR) allowing Service Providers to take
and Debugging Information
advantage of Traffic-Engineered paths as
well as adjust to changing link conditions in
3.1 Appendix A – Cisco’s MPLS
a network. In fact, Cisco has software
Efforts
running in Service Provider trials
It is important to realize that Cisco is at the forefront performing that. RRR utilizes RSVP with
of the standardization movement. Cisco invented extensions to perform the signaling for the
86
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
development of traffic paths. Cisco does not feel applications of MPLS. These are generally
that it makes sense to develop a signaling protocol less advanced in the standards process.
from scratch (CR-LDP), since it will require a lot
more engineering effort and time for development, Once three inter-operable implementations
versus taking a proven protocol (RSVP), which is have been demonstrated, each MPLS
already a standard, and applying extensions to it to document will become a Draft Standard.
operate properly in a traffic-engineered environment, Once a technology reaches Draft Standard
supporting Constraint-based routing. status, standardization of it is effectively
complete.
3.1.3 Is MPLS a Standard Yet?
3.1.3.3 When is a Standard a
3.1.3.1 Last Call for WG or IESG Standard?
There is not really a single “MPLS standard”—there The IETF has a unique standards process
are several different specifications which are the which is different from other standards
core parts of MPLS. These documents are either at organizations‚. The IESG in the IETF grants
Working Group Last Call, or at Internet Engineering “Internet Standard” status to a technology
Steering Group (IESG) Last Call now. They should only after it has been widely deployed in the
pass Last Call by the middle of 1999. Once they Internet and used for some years. So, a
have passed the Last Calls, all technical discussion technology must be a standard for some
are completed, and the documents become years before it is finally granted “Internet
“Proposed Standard RFCs”. A Proposed Standard Standard” status.
RFC, and sometimes just the earlier Internet Draft, Many widely-used and effectively
are used as the basis for interoperability testing standardized protocols have never achieved
amongst vendors. The Proposed Standard RFC is Internet Standard status, or even Draft
changed only if issues arise during Inter-operability Standard status. The IS-IS IP routing
testing. Consequently, a Proposed Standard does protocol (RFC1195), for example, has been
have weight as “a standard”. widely used for many years, but has never
become a “Draft Standard,” let alone an
3.1.3.2 MPLS Core Specifications “Internet Standard.” It is still a “Proposed
A. There are four main documents. These are Standard.” Another example of a “Proposed
Internet Drafts, and are available from Standard” in wide use is Classless Inter-
“http://www.ietf.org/html.charters/mpls- Domain Routing (RFC1518, RFC1519),
charter.html.” which is used throughout the Internet, and
has helped slow down the growth rate of the
The documents are: global Internet table.
1. “MPLS Architecture”, draft-ietf-mpls-arch-04.txt
3.1.4 Cisco’s MPLS Efforts -
2. “MPLS Label Stack Encodings”, draft-ietf-mpls- Summary
label-encaps-03.txt
Let us separate fact from fiction! Cisco is
3. “MPLS using ATM VC Switching”, draft-ietf-
the leading vendor of MPLS-based
mpls-atm-01.txt
forwarding technologies, including MPLS-
4. “Label Distribution Protocol”, draft-ietf-mpls-ldp- VPN and Traffic Engineering over MPLS.
03.txt Other vendors, like Nortel and Lucent have
Three of these documents have already passed responded to customer and market pressures
Working Group Last Call and are expected to turn to support MPLS. In the next few months,
into Proposed Standard RFCs as soon as they are Cisco will officially come out with products
cleared by the IESG. The Label Distribution that are MPLS- and LDP-compliant.
Protocol is in Working Group Last Call now, and
will soon go to IESG Last Call also.
In addition, the working group is working on other
documents which describe optional extensions or
87
87
3.2 Appendix B – References
Reference Number Title Author(s)
RFC2547 BGP/MPLS VPNs Eric Rosen, Yakov Rekhter
ENG-23056 Tag-VPN Architecture Eric Rosen
RFC2283 Multiprotocol Extensions for BGP-4 T. Bates,R. Chandra, D. Katz,Y. Rekhter
Draft-ramachandra-bgp-ext-
communities-01.txt BGP Extended Communities Attribute Srihari Ramachandra, Daniel Tappan
rrr.doc Routing with Resource Reservation (RRR) Jonathan Jiang
ENG-29568, Rev. E IOS CLI for BGP/MPLS VPN Dan Tappan
EFT DRAFT Doc VPNs for Tag Switching
ENG-37750 Rev 1.1 RPM (MPLS) for MGX8850 Release 2.0+
Software Functional Specification Siu-Man Leung, Richard Lam,
Loanne Cheung
Internal Document MPLS Standardization & Cisco Q&A Jeremy Lawrence
86
The reader is (here we go again) cautioned to verify release and feature availability with Product Marketing or the appropriate e-mail aliases.
88
A Cisco 7200 (in a standalone or bundled fashion),
as well as the Cisco 7500 (in a standalone
configuration) will also be available around the
same time for the VSI and LSC functionality. In
other words, in late July, the BPX will obtain MPLS Figure 27 - "forumla" for BPX 8640 ATM LSR
functionality.
It is also expected that the RPM on the MGX On the other hand, the MGX 8850 is a new
platform will have LER functionality in CQ3’99, ATM switch which is primarily intended to
while LSR functionality on that integrated router be an edge switch. It incorporate a
module is anticipated to proceed to EFT status in multiservice access switch that incorporates
that same time period. a Cisco IOS full-featured router which runs
the Edge LSR function. The first customer
With the exception of Fast Reroute, MPLS TE is ship (FCS) of the MPLS function is
expected in Cisco IOS 12.0(5)S, as well as 12.0(6)T. expected in the first calendar quarter of
Opaque OSPF as an IGP for MPLS TE support, is 2000. Of course, engineering trials (EFT)
expected to be available in Cisco IOS 12.0(6)S. and beta will occur earlier.
M
X50
G 88
3.3.2 GSR MPLS-VPN Support
It is expected that certain GSR line cards (LCs) will
have MPLS-VPN functionality around the October + =
timeframe. One definitely needs to contact the GSR Edge Switc h Edge LSR s MGX 8850
IP+ATM Switch
Product Marketing team to inquire about MPLS-
VPN availability on which LCs. With some LCs, a Figure 28 - MGX 8850 IP+ATM Switch
hardware limitation exists that prevents the creation
3.3.3.2 The VSI Interface
of more than four FIBs/CEFs.
VSI is an interface between the network-
Generally speaking, newer LCs will have the layer and platform connection software. It
capability to support MPLS-VPN, not just in terms allows cross-connects to be established at a
of a higher number of FIBs supported, but also in switch. VSI connects routing and signaling
terms of hardware-based QoS capabilities, whereby software, for example, PNNI or MPLS; to
one does not pay a performance penalty when the MGX or BPX platform software, which
turning some QoS features on. actually establishes cross-connects and
The author of this document was not able to obtain manages resources. So the network-layer
more information regarding which LCs are going to software utilizes VSI to form cross-connects
support MPLS versus MPLS-VPN, and in what in the switch.
timeframe. Figure 29 shows MPLS and IP routing
processes with signaling (via VCs) between
3.3.3 MPLS Support in MSSBU them. MPLS and IP routing handle the end-
Platforms to-end signaling, deciding which
MPLS and MPLS-VPN support on the MSSBU connections need to be set up. Furthermore,
platforms involves utilizing a Label Switch at each point through the network, these
Controller and Routing control software. control processes use VSI to set up
connections, requesting that cross-connects
and VCs be set up end-to-end across the
3.3.3.1 General MSSBU MPLS
network.
Support
The BPX 8650 is a bundle that includes the BPX
8620 ATM WAN switch and a Label Switch
Controller based on a 7204/NPE 150 router. This
combination turns the BPX 8650 into an ATM
Label Switch Router.
89
connection88. All control and data traffic
between the router and the switch has to
End to End Co nnectio ns pass over that single link. On that single link,
MPLS, IP Routing
VSI Master
Ma
LDP
MPLS, IP Routing
VSI Master
LDP
MPLS, IP Routing
VSI Master
labels have to be assigned for all prefixes
Signalling Signa
ling
VSI VSI VSI
for which traffic passes from frame-based to
VSI Slave VSI Slave VSI Slave switch-based interfaces. And the number of
Platform
Pla Platform Platform
labels and prefixes one can support is
Cros s-
Connect VC
Cross-
Connect VC
Cross-
Connect
limited by the number of VCs that can
actually be created on that control link.
Figure 29 - VSI & End-to-End MPLS Signaling Depending upon the port adapter used, this
.
is either 2K or 4K VCs.
88
This, in fact, is the setup in the BPX 8650. The
87
It is also possible to utilize an existing 7200 or 7500 router running the recommendation pertains to customers procuring a 7200 or
appropriate IOS image (e.g., IOS 12.0(5)T for MPLS-VPN and IOS 7500 Series router separately and connecting it to the BPX
12.0(6)T for both MPLS-VPN and MPLS TE). 8620.
90
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
PXM
AXSM
AXSM PVC
LVC
The VSI slave in this AXSM
is used by another controller
to set up the PVC. Since it is not
used to set up the Label VC, it is
not shown in this diagram.
Figure 30 - Typical RPM Deployment Figure 32 - PVP connection between an RPM Edge LSR
and a BPX 8650 with an LSC
91
91
functionality similar to the external LSC that
connects to the BPX today. Unlike the BPX
8650 however, the MGX will be appropriate
for MPLS-VPN PE functionality, so long as
one utilizes at least two RPMs - one for LSC
functionality and another for the PE role.
Figure 33 - RPM Functionality withou FSC
92
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
3.4 Appendix D – Architecture of Due to this limitation, one often has the
RRR† situation where a part of the network is
This section provides a brief discussion on Routing over-utilized while another part is under-
with Resource Reservations (RRR, or R3). Traffic utilized. Traffic engineering attempts to
Engineering is an application that takes advantage address this issue92.
of RRR. Moving forward, Cisco IOS commands
will utilize the MPLS traffic engineering syntax 3.4.2 Traffic Engineering Case
versus “rrr.” Study
Consider the following network:
3.4.1 Introduction
The goal of traffic engineering is to maximize the
utilization of network resources. In a large Service
Provider network today, available network
bandwidth is inefficiently utilized because for each
destination, an intra-domain routing protocol (e.g.,
OSPF, IS-IS) finds a single “least-cost” route90. But
what if this least-cost route is not the only possible
one? Further, what if this link is over-subscribed, at
least during certain times of the day? For example,
in figure 36, there are two paths between the San
Francisco router and the New York router: San
Francisco-Chicago-New York; and San Francisco-
Dallas-Atlanta-New York. The routing protocol
Figure 37 - Traffic Engineering Example Topology
decides that the former path is preferred and
therefore all packets between these two points take
As shown in Figure 37, this network has
the former path91. Even when the San Francisco-
three OC-48 connections, between Chicago
Chicago-New York path is congested, packets are
and New York; San Francisco and New
not routed to the San Francisco-Dallas-Atlanta-New
York; and Dallas and Atlanta. The rest of
York path, which is not congested.
the connections are OC-12 and OC-3. In this
example, consider traffic engineering at the
San Francisco node. One has the following
traffic distribution information from the San
Francisco node:
89
For added excitement, MPLS TE support will also be in IOS 12.0(5)S,
but MPLS-VPN will not.
†
For more details on RRR and Traffic Engineering, refer to Jonathan
Jiang's RRR document, as per the References section.
90
Or multiple routes, up to six with Cisco IOS, but the routes are equally-
attractive.
91 92
One can manually override the default costs and utilze both of these Traffic engeinerring for a large IP network, in fact, has many
routes. However, this is not a scalable endeavor. Besides, there will be no more requirements. The reader is encouraged to read "draft-
utilization adjustment for congestion conditions. ietf-mpls-traffic-eng-00.txt"
93
93
Destination Required Bandwidth Path Comments
New York 1 Gbps SF-New York SF-New York link – size: 2.2
Gbps, required: 1 Gbps
New York 1 Gbps SF-New York SF-New York link – size: 2.2
Gbps, required: 1.8 Gbps
94
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
As shown in Table 2, the SF-Chicago and SF- on each host (i.e., a micro-flow) is clearly
Atlanta traffic now traverse New York. As a result, not scalable in a large network. In the
there is no longer any congestion on the network. traffic engineering model, RSVP sessions
The SF-New York link is better utilized. are created on a per-traffic-trunk basis. The
number of traffic trunks will be manageable
3.4.3 RRR Requirements when reasonable micro-flow aggregation
strategies are used.
RRR makes use of several foundation technologies:
• RSVP has no mechanism for routing
MPLS, OSPF or IS-IS, and RSVP with extensions.
signaling messages differently from normal
Rather than explaining these technologies in detail93,
IP packets. New RSVP objects are
the next few sections will briefly describe their roles
introduced in order to support traffic
in RRR environments while highlighting the
engineering. These objects are:
protocol extensions required for traffic engineering.
• Label object - used to carry the label
3.4.3.1 MPLS information necessary for LSP creation.
• Explicit route object - used to specify the
MPLS provides: hop-by-hop path the PATH and RESV
• an efficient and graceful method to override messages should follow.
destination-based forwarding, The reader is encouraged to review “draft-
• the mechanism to support nested explicit routes, ietf-mpls-rsvp-lsp-tunnel-02.txt,” and
and Jonathan Jiang’s RRR document.
• the ability to bind resources to paths, so that
packets forwarded along LSPs are able to utilize the
resources bound to LSPs. 3.4.3.3 OSPF and IS-IS
Label switching paths are established by the traffic Extensions
engineering procedures described above. Once IP
Either OSPF or IS-IS needs to be able to
packets enter the LSPs, they are guaranteed to be
carry resource information in their routing
forwarded along the pre-determined path regardless
updates. In the case of OSPF, one uses
of their IP headers. Readers are encouraged to
opaque LSAs to carry the resource
review “draft-ietf-mpls-arch-02.txt” and “draft-ietf-
attributes94. In the case of IS-IS, a new type-
mpls-framework-02.txt.”
length-value (TLV) entity is introduced to
carry the resource attributes in the link state
3.4.3.2 RSVP Extensions packets (LSPs). The reader is referred to
The usage of RSVP in traffic engineering deviates “draft-ietf-isis-traffic-00.txt” for details.
from the original design goals of RSVP. There are
So, to summarize, RRR uses:
several key differences:
• “Explicit” routing (aka “source routing”)
• In traffic engineering, the sender, instead of the
receiver determines the bandwidth required for • MPLS as the forwarding mechanism
each RSVP sessions. • RSVP(with extensions) as the mechanism
• RSVP was designed to support both unicast and for establishing Label Switched Paths
multicast, but the strong emphasis was placed on (LSPs)
supporting multicast. In traffic engineering, only • Extensions to OSPF/IS-IS, to overcome
unicast is supported. limitations of the single IGP metric
• The original intention of RSVP was to enable hosts
to reserve bandwidth for applications such as
multimedia. In the traffic engineering model, RSVP
is used only by edge routers. In addition,
maintaining an RSVP session for each application
94
FRC2370 defines the use of opque LSAs. Traffic engineering
93
There are several excellent resources within Cisco discussing details of extensions to OSPF are described in "draft-katx-yeung-ospf-
those inter-networking paradigms. traffic-00.txt"
95
95
3.4.4 Traffic Trunks and other RRR
Traffic Engineering Paradigms
RRR traffic (more appropriate within a Service
Provider environment) is a collection of traffic
trunks with known bandwidth requirements.
Traffic trunks are aggregated micro-flows95 that
share a common path. In the context of this
document, a “common path” does not refer to the
end-to-end path of the flows, but a portion of the
Figure 38 - MSSBU's Demo Setup, SP Bootcamp for SE's,
end-to-end path within the Service Provider’s March 22-26, 1999
network. Typically, the common path originates
between the ingress and egress of the service
provider’s Wide Area Network. 3.5.1 Software Versions
For example, all traffic originating from an IP
address in San Jose and destined for an address in 3.5.1.1 LS1010
New York City may constitute a traffic trunk, while IOS (tm) LS1010 W5-5 Software (LS1010-
all traffic between an address in Palo Alto and an WP-M), Version 12.0(1a)W5(5b),
address in Washington D.C. another. Optionally, RELEASE
one may require that all packets within a traffic
trunk have the same Class of Service. For example, SOFTWARE
all FTP and Telnet (priority 1) traffic between San
Francisco and New York City may be considered a 3.5.1.2 4700
trunk, and all VoIP (priority 5) traffic between San
IOS (tm) 4500 Software (C4500-JS-M),
Francisco and New York City another one.
Experimental Version
In a nutshell, RRR creates one or more explicit 12.0(19990211:021737) [BLD-
paths with bandwidth assurances for each traffic bgp_reorg.990210 114]
trunk. It takes into consideration the policy
constraints associated with the traffic trunks, and the 3.5.1.3 2611
physical network resources, as well as the topology
IOS (tm) C2600 Software (C2600-IS-M),
of the network. This way, packets are no longer
Version 11.3(7)T, RELEASE SOFTWARE
routed just based on destination, but also based on
(fc1)
resource availability, and policy.
3.5.2 Configuration Examples
3.5 Appendix E – Application Note:
MSSBU’s Demo Lab @ SP
3.5.2.1 LS1010-A
Base Camp Wk 296
version 12.0
!
hostname LS1010-A
!
ip subnet-zero
!
95
atm address
A mirco-flow refers to uni-directional packat transactions traveling from
a source to a destination using the same transport protocol and the same
47.0091.8100.0000.0050.e209.b801.0050.e
port nubmer. For example, an ftp session between two IP hosts constitutes 209.b801.00
two miroc-flows - one from the client to the servers, and the other from the
server to the client. Cistoc's orginal "NetFlow"
96
Ripin Checker was kind enough to supply this information
atm router pnni
96
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
redistribute atm-static !
! hostname LS1010-B
interface Loopback0 !
no ip directed-broadcast !
! atm address
47.0091.8100.0000.0050.e20a.5b01.0050.e2
interface ATM0/1/0 0a.5b01.00
ip unnumbered Loopback0 atm router pnni
no ip directed-broadcast no aesa embedded-number left-justified
tag-switching ip node 1 level 56 lowest
! redistribute atm-static
!
interface ATM0/1/1
interface Loopback0
ip unnumbered Loopback0
ip address 200.200.200.200
no ip directed-broadcast 255.255.255.255
tag-switching ip no ip directed-broadcast
! !
interface ATM0/1/2 interface ATM0/1/0
ip unnumbered Loopback0 ip unnumbered Loopback0
no ip directed-broadcast no ip directed-broadcast
tag-switching ip tag-switching ip
! !
router ospf 100 interface ATM0/1/1
network 100.100.100.100 0.0.0.0 area 100 ip unnumbered Loopback0
! no ip directed-broadcast
ip classless tag-switching ip
! !
end router ospf 100
network 200.200.200.200 0.0.0.0 area 100
!
97
97
ip classless ip unnumbered Loopback0
! no ip directed-broadcast
end tag-switching ip
!
router ospf 100
3.5.2.3 4700-A
version 12.0 network 1.1.1.1 0.0.0.0 area 100
! !
! no synchronization
! exit-address-family
interface Ethernet0 !
tag-switching ip exit-address-family
! !
no ip address !
no ip directed-broadcast end
!
interface ATM0.1 tag-switching
98
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
99
99
neighbor 192.168.4.2 activate ip vrf forwarding vpn2
no bgp default ipv4-unicast ip address 192.168.3.1 255.255.255.0
exit-address-family no ip directed-broadcast
! media-type 10BaseT
address-family vpnv4 tag-switching ip
neighbor 1.1.1.1 activate !
neighbor 1.1.1.1 send-community extended interface ATM0
neighbor 3.3.3.3 activate no ip address
neighbor 3.3.3.3 send-community extended no ip directed-broadcast
no bgp default ipv4-unicast !
exit-address-family interface ATM0.1 tag-switching
! ip unnumbered Loopback0
ip classless no ip directed-broadcast
! tag-switching ip
end !
router ospf 100
network 3.3.3.3 0.0.0.0 area 100
3.5.2.5 4700-C
version 12.0 !
! exit-address-family
interface Ethernet0 !
100
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
! voice-port 1/1/1
version 11.3 !
! interface Ethernet0/0
! !
! !
destination-pattern 14085551102 !
! 3.5.2.7 2611-B
dial-peer voice 300 voip Using 510 out of 29688 bytes
destination-pattern 14085551103 !
session target ipv4:192.168.3.2 version 11.3
! !
dial-peer voice 400 voip hostname 2611-B
destination-pattern 14085551104 !
session target ipv4:192.168.4.2 dial-peer voice 1000 pots
! destination-pattern 14085551102
101
101
port 1/0/0 network 192.168.2.0
! neighbor 192.168.2.1 remote-as 100
dial-peer voice 100 voip !
destination-pattern 14085551101 ip classless
session target ipv4:192.168.1.2 !
! end
dial-peer voice 300 voip
3.5.2.8 2611-C
destination-pattern 14085551103 version 11.3
session target ipv4:192.168.3.2 !
! hostname 2611-C
dial-peer voice 400 voip !
destination-pattern 14085551104 dial-peer voice 1000 pots
session target ipv4:192.168.4.2 destination-pattern 14085551103
! port 1/0/0
num-exp 1101 14085551101 !
num-exp 1102 14085551102 dial-peer voice 100 voip
num-exp 1103 14085551103 destination-pattern 14085551101
num-exp 1104 14085551104 session target ipv4:192.168.1.2
! !
voice-port 1/0/0 dial-peer voice 200 voip
! destination-pattern 14085551102
voice-port 1/0/1 session target ipv4:192.168.2.2
! !
voice-port 1/1/0 dial-peer voice 400 voip
! destination-pattern 14085551104
voice-port 1/1/1 session target ipv4:192.168.4.2
! !
interface Ethernet0/0 num-exp 1101 14085551101
ip address 192.168.2.2 255.255.255.0 num-exp 1102 14085551102
! num-exp 1103 14085551103
router bgp 102 num-exp 1104 14085551104
no synchronization !
102
MPLS VPN CONFIGURATION
AND DESIGN GUIDE
! interface Ethernet0/0
! !
! !
destination-pattern 14085551101 !
!
dial-peer voice 200 voip
103
103